|
| 1 | +--- |
| 2 | +title: "User ID controlled by request parameter, with unpredictable user IDs" |
| 3 | +description: >- |
| 4 | + This lab revolves around a horizontal privilege escalation vulnerability. The web app identifies each user with GUIDs for their user account pages. We need to locate the GUID for user Carlos and submit his API key as the solution. |
| 5 | +date: 2024-05-16 12:10:00 +0800 |
| 6 | +categories: [Web Security Academy Labs] |
| 7 | +tags: [IDOR, Privilege escalation, Access Control] |
| 8 | +pin: false |
| 9 | +--- |
| 10 | + |
| 11 | + |
| 12 | + |
| 13 | +*** |
| 14 | +## Access Controls |
| 15 | +## Lab #4: User ID controlled by request parameter, with unpredictable user IDs |
| 16 | + |
| 17 | +Hola 👋 welcome back. This is the Lab 4# [User ID controlled by request parameter, with unpredictable user IDs](https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids#) write-up of the Access Control labs on WebSec Academy. This lab revolves around a horizontal privilege escalation vulnerability. The web app identifies each user with GUIDs for their user account pages. We need to locate the GUID for user Carlos and submit his API key as the solution. Let's get started. |
| 18 | + |
| 19 | + |
| 20 | + |
| 21 | +*** |
| 22 | +### End Goal :# |
| 23 | +- Find the GUID for carlos, then submit his API key as the solution. |
| 24 | + |
| 25 | +### Horizontal Privilege Escalation: |
| 26 | +**_Occurs when a user is able to gain access to resources belonging to another user, instead of their own resourcesof that type._** |
| 27 | + |
| 28 | +*** |
| 29 | +### Testing for vulnerabilities: |
| 30 | + |
| 31 | + |
| 32 | + |
| 33 | +- The web application is a blog site where each user has posted blogs. Let's check for a blog that the user Carlos has posted. By clicking on Carlos and checking the URL, we can identify the value of the "id" parameter associated with the user Carlos. Let's copy it and save it for later use. |
| 34 | + |
| 35 | + |
| 36 | + |
| 37 | +- Next, let's log in to our own account using the following credentials: wiener:peter. |
| 38 | +- So when I log in, we can see that I have an ID associated with my account. |
| 39 | + |
| 40 | + |
| 41 | + |
| 42 | +- In the Repeater tab, let's change the value of the Wiener ID to Carlos ID, which we copied earlier in the URLs, and send the request. Now, we're logged in as user Carlos. |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +- and we can see his API key. Let's copy it and submit it. With that, we've completed our goal. |
| 47 | + |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +That's all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @[T3chnocr4t](https://twitter.com/T3chnocr4t). Feel free to DM me if you have any issues with my write-up. Thanks! |
| 54 | + |
| 55 | +[Go Back Home](https://t3chnocr4t.github.io/) |
0 commit comments