User ID Controlled By Request Parameter, with Unpredictable User IDs Lab

The objective of this lab is to perform horizontal privilege escalation using GUIDs (Global Unique Identifiers) to access carlos’ account and find his API key. The lab gives access to a blog site as shown below.

You can try to log into wiener’s account since his credentials have been provided.

You can see his GUID indicated in the id part of the url and his API key is provided once you access his account. Now, let’s try and find carlos’ GUID. On the home page, there are a number of articles; some written by administrator, others by wiener and others by carlos. You can click on an article by wiener and view the source code.

You find the above id on the source code and this matches the GUID that was displayed when wiener’s account was accessed. This means carlos’ GUID can be found in the same way. Click on any article written by carlos and view the source code.

Carlos’ GUID is referenced and this can be used to access his account. Now, log into wiener’s account again and replace his GUID with carlos’ and then refresh the page.

You get access to his account and find his API key which you can submit to complete the lab.