Portswigger - Access Control - Lab #6 User ID controlled by request parameter with unpredictable use скачать в хорошем качестве

Portswigger - Access Control - Lab #6 User ID controlled by request parameter with unpredictable use

Hello Hackers, in this video of User ID controlled by request parameter with unpredictable use. You will see how to exploit, discover and find senstive information based on application logic flow to leak for potential attacks from Burp Suite in a lab from Web Security Academy powered by Portswigger ⚠️ Subscribe to my channel ➡️ @popo_hack ⚠️ 0:00 - About the Lab 0:37 - About Globally Unique Identifier (GUI) 1:45 - Log-in as Wiener user 2:30 - Find my profile's GUID 3:15 - Test /account endpoint 4:00 - Find Carlos's GUID 5:58 - Get access to user Carlos's profile 6:16 - Send user Carlos's API key 🔍 About the Lab Lab: User ID controlled by request parameter Level: Apprentice This lab has a horizontal privilege escalation vulnerability on the user account page. To solve the lab, obtain the API key for the user carlos and submit it as the solution. You can log in to your own account using the following credentials: wiener:peter ✅ What to do ? 1. Find a blog post by carlos. 2. Click on carlos and observe that the URL contains his user ID. Make a note of this ID. 3. Log in using the supplied credentials and access your account page. 4. Change the "id" parameter to the saved user ID. 5. Retrieve and submit the API key. Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋 #WebSecurityAcademy #portswigger #vulnerability