Introduction To User ID controlled by request parameter with unpredictable user IDs
Hello Beautiful people, how are you all? Today we are starting to write articles on access control vulnerabilities. This is our 6th article on access control vulnerabilities. In this article, we will cover the topic of ‘User ID controlled by request parameter, with unpredictable user IDs’ in PortSwigger Web Security Lab. We will provide a complete step-by-step practical approach in order to help you understand it better.
This lab focuses on horizontal privilege escalation vulnerability, where we exploit it to gain access to another user’s account.
In this lab, each user has a unique GUID, and our task is to analyze the traffic and find Carlos’ GUID to submit his account’s API key, which will solve the lab.
Credentials have already been provided: username=wiener and password=peter.
First, we will access the lab.
After accessing the lab, we will see an interface. Now, we will go to ‘My Account’ and log in to our own account.
After logging in, we will open Burp Suite and enable the proxy. Once the proxy is enabled, we will analyze the traffic to find the GUIDs of the users.
I have simply logged in with my account. After logging in, I am analyzing the traffic. Now, I will click on the home button to open random posts and click on the names of the authors. All this traffic will be stored in the Burp Proxy.
You can see that there is an ID for my account. This ID contains a flaw, which we will exploit to steal Carlos’ API key.
I clicked on the home button and visited some random posts, where I saw the IDs of both administrators and Carlos. Since the IDs of these authors were clickable, I clicked on them.
When I clicked on Carlos, I turned on intercept and captured his ID. Now, I will copy the value of ‘userid=’ from here. After copying, I will replace this ID with my own ID (wiener account) and forward the request.
You can see that I have sent my account’s request to Repeater and replaced the userid with Carlos’ ID. Now, I have logged into Carlos’ account, and I have obtained Carlos’ API key. Now, I will simply submit Carlos’ API key in the lab and solve it.
You can see that after submitting the key, we have successfully solved the PortSwigger Web Security lab on ‘User ID controlled by request parameter with unpredictable user IDs’.
You can learn everything related to web security on our website. We upload the latest articles on web security topics daily, so stay with us.
To continue studying check out the next lab i.e. User ID Controlled By Request Parameter With Data Leakage In Redirect, cover the current lab before visiting the next lab. Good Luck!
Don’t forget to follow me on Twitter @masaudsec.