# User ID controlled by request parameter with data leakage in redirect
Let's login using the following credentials:
| Username | Password |
| -------- | -------- |
| wiener | peter |
Since we are proxying the traffic through Burp Suite, we will be able to view the request in `Proxy > HTTP History`.
We can see that the URI contains the `id` parameter set to `wiener`.
Let's forward it to the `Repeater` for further modification.
Once in the `Repeater`, we can set the `id` parameter to the following and send the request:
```
carlos
```
As we can see the response contains a 302 code. Which means that this is a redirection response.
We can follow the redirection however it is not necessary since we have the API key. Let's submit the key.
We have solved the lab.
