User ID Controlled by Request Parameter with Data Leakage in Redirect
Our task is to obtain the API key of the user carlos. After clicking "Access the lab", we proceed to "My account", log in with the provided username and password, which are wiener:peter:
After logging in, we can observe a few interesting things.
- The API key is visible to the logged-in user.
- The ID parameter equals the username and is visible in the URL bar.
Let's see what happens if we replace the user wiener with carlos and press "Enter":
We are logged out of the application, but Burp Suite is running "underneath".
With Burp Suite running in the background, we can check the communication:
In the request with the "carlos" parameter, we see a "302" status, meaning a redirect. Indeed, we saw the login screen in the application, but before that happened - a page with the user's data was displayed. The correct behavior would be to remove the HTML code from the response and leave only the headers. In this case, we can browse the page content to see if we can find the API key we are interested in:
We copy the API key, go to the page, click "Submit solution". Done:
