User ID controlled by request parameter

Description

This lab has a horizontal privilege escalation vulnerability on the user account page.

Reproduction and proof of concept

  1. Log in using wiener:peter and go to your account page.

  2. Note that the URL contains your username in the “id” parameter.

  3. Send the request to Burp Repeater.

  4. Change the “id” parameter to carlos.

  5. Retrieve the API key for carlos.

ACL

  1. Enter it as the solution.

Exploitability

An attacker will need to obtain the API key for the user carlos.