# User ID controlled by request parameter, with unpredictable user IDs

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FQIuSmfZRLPzSsZTo3CKc%2F1.png?alt=media&#x26;token=a505b50a-965b-46b1-81b9-6ce48d2773cd" alt=""><figcaption></figcaption></figure>

We can login using the following credentials:

| Username | Password |
| -------- | -------- |
| wiener   | peter    |

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FGLrVDZ7Pq4pewvxFvptT%2F2.png?alt=media&#x26;token=4e5cedfa-9328-4dad-bdc4-5ab232974fe0" alt=""><figcaption></figcaption></figure>

Since we are proxying the traffic through Burp Suite, we can go to `Proxy > HTTP History` in order to view the request.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FNKiq9IXnQKKMeLlz8sSf%2F3.png?alt=media&#x26;token=bde358b7-3903-419d-a450-b1ed76db5678" alt=""><figcaption></figcaption></figure>

As we can see, the request contains an `id` parameter. In order to access the `carlos` user's API key we will first need to find his GUID.&#x20;

First let's forward this request to the `Repeater` for later modification.&#x20;

Then let's look for some post written by the `carlos` user.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FyWFMTQ8OrEQEkx6onOe1%2F4.png?alt=media&#x26;token=762a33af-9686-4167-bc57-205d66d77b6c" alt=""><figcaption></figcaption></figure>

We can now view the user's profile.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FuapJZ4CwJ0lhT6yYpY86%2F5.png?alt=media&#x26;token=e93540df-da07-4363-b171-1cd81b871c4d" alt=""><figcaption></figcaption></figure>

Let's read this request in the `Proxy > HTTP History` tab.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FGZkmoTAanupVFVJHFfkb%2F6.png?alt=media&#x26;token=617597de-929e-4143-b7b6-2df62a10d1de" alt=""><figcaption></figcaption></figure>

Now that we have the GUID, we can go to the `Repeater` and set the `id` parameter to the `carlos` user's GUID and send the request.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FcStNYQtJHLmvZIiRUzvq%2F7.png?alt=media&#x26;token=1a222193-d9b4-47a9-8eb2-4fb98200b375" alt=""><figcaption></figcaption></figure>

Let's submit the API key.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FAvzUcULWdf05rAGJ8eSE%2F8.png?alt=media&#x26;token=e755c659-b45d-45d8-b85b-f97576266523" alt=""><figcaption></figcaption></figure>

We have solved the lab.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FIJ02Yk6RWnxL7h7LPELc%2F9.png?alt=media&#x26;token=cc8549d2-6601-4a50-8f20-f6d4116cae7d" alt=""><figcaption></figcaption></figure>