4.4.15 web user id controlled by request parameter with dynamic id(Web Security Academy)

Web Security Academy >>Access control >> Lab

The goal here is to access Carlosā€™s API, so we have to access his GUIDsĀ :

If, after collecting information before starting anything about this site, you will know that it is a blogs site more than anything that is just posts, and each post is written by a specific user. Therefore, you will find that the number of users is 3, and that each user actually has his own GUIDs.Ā , SoĀ :

When you browse around, you will find that each post has a specific IDĀ .

So I will register the login using wiener:peter, then tell the userId from within the wiener user page, and will it really be the same as the userā€™s blogs?

Same user idĀ .

Here inside the page for the user wienerĀ .

Same user idĀ .

Here inside the blogsĀ .

So we can go back to the My Account page, and change the user IDĀ :

This is carlosā€™s user idĀ , We found him by finding the post, and thus we found his user IDĀ :

We will change the user ID from here, and test whether it will actually take me to Carlosā€™s pageĀ .

Indeed, what was expected happened and I arrived at Carlosā€™s pageĀ .

Congratulations, you solved theĀ lab!

We can also do all this using burp. Try it, it will be really funĀ .

See you soon in other reportsā€¦.!!

Abdelwahab_Shandy

AS_Cyber