1. Web Security Academy
  2. Access control
  3. Lab

Lab: User ID controlled by request parameter, with unpredictable user IDs


This lab has a horizontal privilege escalation vulnerability on the My Account page, but identifies users with GUIDs.

To solve the lab, find the GUID for carlos, then submit his API key as the solution.

You can access you own account using wiener:peter.