Post

Access control - UID controlled by request parameter with data leakage in redirect

Objective: This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response. To solve the lab, obtain the API key for the user carlos and submit it as the solution. You can log in to your own account using the following credentials: wiener:peter.

  1. When we login with wiener a POST request is sent, and then we will notice a GET request which includes the id parameter:

  2. If we changes id’s value to carlos we will be redirected (status code: 302) to the login page, but the redirection will include carlos’s info:

This post is licensed under CC BY 4.0 by the author.