Level 7: User ID controlled by request parameter with data leakage in redirect

Objective

Solve the lab by obtaining the API key for the user "carlos" and submitting it as the solution.

Explanation

This lab demonstrates an access control vulnerability where sensitive information, such as API keys, is leaked through a redirect response. The issue arises because the server responds with sensitive information before performing a redirect. An attacker can exploit this behavior by manipulating the request parameters and observing the response to retrieve sensitive data.

Resolution

  1. Log in using the provided credentials: wiener:peter.

  2. Use an intercepting proxy (e.g., Burp Suite) to capture the request when accessing your account (e.g., /my-account?id=wiener).

  3. Send the intercepted request to the Repeater tool in Burp Suite.

  4. In the Repeater, change the value of the id parameter from wiener to carlos.

  1. Send the request and inspect the response. You should find that the response contains the API key for the user "carlos".

  2. Submit the API key for "carlos" as the solution to complete the lab.

Mitigation

  • Access Control: Always verify that users can only access their own data. Implement proper server-side authorization checks.

  • Sensitive Data Exposure: Avoid exposing sensitive data (e.g., API keys, passwords) in the response body, especially during redirects. Ensure that sensitive data is never sent in the URL or response body without encryption.

  • Redirects: When redirecting, ensure that sensitive data is not included in the response before performing the redirect.

  • Session Management: Consider using secure, authenticated sessions rather than passing sensitive data in the URL or response body.

PreviousLevel 6: User ID controlled by request parameter, with unpredictable user IDsNextLevel 8: User ID Controlled by Request Parameter with Password Disclosure

Last updated