Lab: User ID controlled by request parameter with data leakage in redirect

APPRENTICE

This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response.

To solve the lab, obtain the API key for the user carlos and submit it as the solution.

You can access you own account using wiener:peter.

Send the request to Burp Repeater.

Change the "id" parameter to carlos.

Observe that although the response is now redirecting you to the homepage, it has a body containing the API key belonging to carlos.

Submit the API key.

Want to track your progress and have a more personalized learning experience? (It's free!)

SQL injection XSS CSRF Clickjacking DOM-based CORS XXE SSRF Request smuggling Command injection Server-side template injection Insecure deserialization Directory traversal Access control Authentication Web cache poisoning WebSockets