Skip to main content

🗂️PortSwigger Lab Writeup: User ID Controlled by Request Parameter with Unpredictable User IDs

PortSwigger lab banner: User ID controlled by request parameter with unpredictable user IDs

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has a horizontal privilege escalation vulnerability on the user account page. The goal is to obtain the API key for the user carlos.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids
  • Category: Access Control
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Blogging website homepage displaying blog posts and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that we need to obtain the API key for the user carlos.

📝Step 2: Login as wiener

  • Login with the credentials of user wiener to access the account page first. Login page with wiener credentials
  • Now, On user account page of wiener we can see the API key of wiener. User account page showing wiener's profile with unpredictable user ID
  • Now, Move to home page and click on the first post. Blog post author profile with embedded user ID link in author name
  • Here, you can see that there is a hyperlink embedded in page for the author of the post.
  • Open the source code of the page to confirm if there is UserId embedded in this hyperlink. HTML source code showing user ID parameter embedded in author profile link
  • Hence, This is confirmed that UserIds of user are embedded in their written posts.
  • Now, find a post which is authored by carlos to obtain its UserID. Blog posts feed showing multiple posts including one by carlos
  • Open the source code of this post to copy the UserID of carlos HTML source code revealing carlos user ID in blog post author link
  • Copy the UserID and Go to the account page of wiener to paste this UserID in /my-account?id= parameter. User account page for carlos accessed by pasting discovered user ID in parameter
  • Hence, we can now see the API key of user carlos.

🧑‍💼Step 3: Submit API of carlos

  • Copy the API key of carlos and submit it in Submit Solution. Lab solved confirmation message after submitting carlos API key
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how information disclosure in public content can enable horizontal privilege escalation. Even with unpredictable user IDs, the application exposed user identifiers in HTML source code via blog post author links, allowing attackers to discover and access other users' API keys.
  • The impact is high — sensitive user identifiers leaked across the application (in HTML, JavaScript, API responses) enable attackers to enumerate users and access their private data regardless of whether the IDs are predictable.
  • Fix: minimize information disclosure by not embedding user IDs in public/client-side content, use generic descriptions for author links, enforce proper server-side authorization on all account endpoints, validate that the current user owns the requested account before exposing sensitive data, and regularly audit all user-facing content for leaked sensitive information.