| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (IDOR with Data Leakage in Redirect) |
| Difficulty | Apprentice |
| Objective | Obtain the API key for the user carlos and submit it as the solution |
User ID Controlled by Request Parameter with Data Leakage in Redirect¶
Log in as wiener:peter.
Trying the same approach as the previous labs:
web-security-academy.net/my-account?id=carlos
In the browser this redirects to login.
Intercepting the same request with Burp instead of letting the browser follow the redirect automatically:
GET /my-account?id=carlos HTTP/2
Host: 0a3d00f904df424780d9ad790026000c.web-security-academy.net
and on the response:
HTTP/2 302 Found
Location: /login
(body)
The server does respond with a redirect to login — but the response body sent along with that redirect still contains Carlos's account page content, including his API key.
Lab solved :P