Lab: User ID controlled by request parameter, with unpredictable user IDs
This lab has a horizontal privilege escalation vulnerability on the My Account page, but identifies users with GUIDs.
To solve the lab, find the GUID for
carlos, then submit his API key as the solution.
You can access you own account using
Find a blog post by
carlos and observe that the URL contains his user ID.
Make a note of the user ID.
Log in using the supplied credentials and access "My Account".
Change the "id" parameter to the saved user ID.
Retrieve and submit the API key.