User ID controlled by request parameter with data leakage in redirect

https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-data-leakage-in-redirect

Let's login using the following credentials:

Username
Password

wiener

peter

Since we are proxying the traffic through Burp Suite, we will be able to view the request in Proxy > HTTP History.

We can see that the URI contains the id parameter set to wiener.

Let's forward it to the Repeater for further modification.

Once in the Repeater, we can set the id parameter to the following and send the request:

carlos

As we can see the response contains a 302 code. Which means that this is a redirection response.

We can follow the redirection however it is not necessary since we have the API key. Let's submit the key.

We have solved the lab.

Last updated

Was this helpful?