> For the complete documentation index, see [llms.txt](https://kunalwalavalkar.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kunalwalavalkar.gitbook.io/write-ups/portswigger-labs/server-side-topics/access-control/user-id-controlled-by-request-parameter-with-data-leakage-in-redirect.md).

# User ID controlled by request parameter with data leakage in redirect

<figure><img src="/files/dg4X4zi8fYqoWViWucy0" alt=""><figcaption></figcaption></figure>

Let's login using the following credentials:

| Username | Password |
| -------- | -------- |
| wiener   | peter    |

<figure><img src="/files/lKOFqwR9cUOH3l2ntXwM" alt=""><figcaption></figcaption></figure>

Since we are proxying the traffic through Burp Suite, we will be able to view the request in `Proxy > HTTP History`.

<figure><img src="/files/nhekemhKrNEid3mIEK0m" alt=""><figcaption></figcaption></figure>

We can see that the URI contains the `id` parameter set to `wiener`.&#x20;

Let's forward it to the `Repeater` for further modification.&#x20;

Once in the `Repeater`, we can set the `id` parameter to the following and send the request:

```
carlos
```

<figure><img src="/files/YvRmCg4mdUf86BMTnKEe" alt=""><figcaption></figcaption></figure>

As we can see the response contains a 302 code. Which means that this is a redirection response.&#x20;

We can follow the redirection however it is not necessary since we have the API key. Let's submit the key.

<figure><img src="/files/tJlyCylZUopWvMMqWUkJ" alt=""><figcaption></figcaption></figure>

We have solved the lab.

<figure><img src="/files/1QpZSKZCHnDYIYDPpk0k" alt=""><figcaption></figcaption></figure>
