User ID controlled by request parameter, with unpredictable user IDs

This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs. To solve the lab, find the GUID for carlos, then submit his API key as the solution. You can log in to your own account using the following credentials: wiener:peter

Upon entering my credentials and observing that the ID for my account is not simply a number, I proceed to navigate the site in an attempt to locate Carlos.

Came across one of carol's blogs on the site and inspected the html on the webpage. notice his account is was in the html of the page

I copy the element where his id was n put it in notepad

Log back into my account and swap the id to get the flag.

PreviousUser role controlled by request parameter NextUser ID controlled by request parameter with password disclosure

Last updated 11 months ago