User ID controlled by request parameter with data leakage in redirect
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-data-leakage-in-redirect

Let's login using the following credentials:
wiener
peter

Since we are proxying the traffic through Burp Suite, we will be able to view the request in Proxy > HTTP History
.

We can see that the URI contains the id
parameter set to wiener
.
Let's forward it to the Repeater
for further modification.
Once in the Repeater
, we can set the id
parameter to the following and send the request:
carlos

As we can see the response contains a 302 code. Which means that this is a redirection response.
We can follow the redirection however it is not necessary since we have the API key. Let's submit the key.

We have solved the lab.

Last updated
Was this helpful?