Skip to content

Commit d62fa90

Browse files
T3chnocr4tXT3chnocr4tX
committed
updating the blog post
1 parent 1bb6981 commit d62fa90

File tree

2 files changed

+55
-0
lines changed

2 files changed

+55
-0
lines changed

_posts/2024-05-15-user-role-controlled-by-request-parameter.md renamed to _posts/2024-05-15-user-role-controlled-by-reques-parameter.md

File renamed without changes.

_posts/2024-06-02-user-id-controlled-by-request-parameter.md

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
---
2+
title: "User ID controlled by request parameter"
3+
description: >-
4+
This lab has a horizontal privilege escalation vulnerability on a user account page. Let's try to exploit the vulnerabilities.
5+
date: 2024-06-02 12:10:00 +0800
6+
categories: [Web Security Academy Labs]
7+
tags: [IDOR, Privilege escalation, Access Control]
8+
image:
9+
path: https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/233707e5-1d04-409f-b413-33766ae43a5b
10+
alt: Access control
11+
---
12+
13+
***
14+
# Access Control
15+
## Lab #: User ID controlled by request parameter
16+
17+
Guys 👋, welcome back. Let's go through this lab real quick. This lab has a horizontal privilege escalation vulnerability on a user account page. Let's try to exploit the vulnerabilities.
18+
19+
To solve the lab, we need to obtain the API key for the user Carlos and submit it as the solution. Note: Am using caido you can follow along using burp also..
20+
21+
22+
***
23+
### End Goals:
24+
- Obtain the API key for the user carlos
25+
- You can log in to your own account using the following credentials: wiener:peter
26+
27+
***
28+
### What Horizontal privilege escalation 🤔?
29+
Horizontal privilege escalation occurs if a user is able to gain access to resources belonging to another user, instead of their own resources of that type.
30+
31+
***
32+
### Testing for vulnerabilities~:
33+
34+
![1](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/3c7a6207-54cd-4b86-a571-564fc5fef0e4)
35+
36+
- Let's log in to our account using the following credentials and test all features in the application. Turn on our proxy to collect requests. See how the web app handles requests, processes our requests, and identifies users.
37+
- When log in, let's check our proxy. We can see that the web app identifies the user in the URL. The value of the id parameter contain our username.. Nice😂
38+
39+
![2](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/580ca22d-54bc-44b1-84ac-619768ee19ab)
40+
41+
- The hacker inside us. we should send the request to repeater/replay and modify the value of the 'id' parameter to 'carlos'.
42+
- We got in (200 ok) and we can see user carlos API key
43+
44+
![3](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/5dce46f3-6b5c-48e5-8936-2305fc3dc459)
45+
46+
- Retrieve and submit the API key for carlos. we solve the lab easy right..
47+
48+
![4](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/3fb33e19-ea7e-4f5d-bb10-f80e770607fb)
49+
50+
![5](https://github.com/T3chnocr4t/T3chnocr4t.github.io/assets/115868619/ae93ac63-0136-44bb-9de8-3c87e6d54e18)
51+
52+
53+
That's all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @[T3chnocr4t](https://twitter.com/T3chnocr4t). Feel free to DM me if you have any issues with my write-up. Thanks!
54+
55+
[Go Back Home](https://t3chnocr4t.github.io/)

0 commit comments

Comments
 (0)