Access Control
Lab #: User ID controlled by request parameter
Guys 👋, welcome back. Let’s go through this lab real quick. This lab has a horizontal privilege escalation vulnerability on a user account page. Let’s try to exploit the vulnerabilities.
To solve the lab, we need to obtain the API key for the user Carlos and submit it as the solution. Note: Am using caido you can follow along using burp also..
End Goals:
- Obtain the API key for the user carlos
- You can log in to your own account using the following credentials: wiener:peter
What Horizontal privilege escalation 🤔?
Horizontal privilege escalation occurs if a user is able to gain access to resources belonging to another user, instead of their own resources of that type.
Testing for vulnerabilities~:
- Let’s log in to our account using the following credentials and test all features in the application. Turn on our proxy to collect requests. See how the web app handles requests, processes our requests, and identifies users.
- When log in, let’s check our proxy. We can see that the web app identifies the user in the URL. The value of the id parameter contain our username.. Nice😂
- The hacker inside us. we should send the request to repeater/replay and modify the value of the ‘id’ parameter to ‘carlos’.
- We got in (200 ok) and we can see user carlos API key
- Retrieve and submit the API key for carlos. we solve the lab easy right..
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!