Level 5: User ID Controlled by Request Parameter

Objective

Solve the lab by obtaining the API key for the user carlos and submitting it as the solution.

Explanation

In this lab, there is a horizontal privilege escalation vulnerability, where the user ID is controlled by a request parameter. By manipulating the id parameter in the URL, you can view and interact with other users' accounts, including obtaining sensitive information such as the API key of the user "carlos."

Resolution

  1. Log in using the provided credentials: wiener:peter.

  2. After logging in, you will be able to see your own username and API key.

  3. In the URL, you will find the parameter id=wiener. This specifies that you are viewing your own account.

  4. Change the id=wiener part of the URL to id=carlos to access the account of the user "carlos."

  5. Once the page loads for "carlos," locate the API key belonging to carlos.

  6. Submit this API key as the solution to complete the lab.

Mitigation

  • Access Control: Implement proper access control to ensure that users can only access their own data and not the data of other users.

  • Server-side Authorization: Enforce strict server-side checks on user roles and ensure that user ID parameters are validated before granting access to sensitive information.

  • URL Manipulation Prevention: Use unique session identifiers or access tokens that cannot be easily manipulated by changing URL parameters.

  • Data Separation: Ensure that sensitive data such as API keys are not easily accessible via predictable parameters in the URL.

PreviousLevel 4: User role can be modified in user profileNextLevel 6: User ID controlled by request parameter, with unpredictable user IDs

Last updated