User ID controlled by request parameter, with unpredictable user IDs

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.

To solve the lab, find the GUID for carlos, then submit his API key as the solution.

You can log in to your own account using the following credentials: wiener:peter

Point: APPRENTICE

Recon

Logged into wiener account, the url redirect us to /my-account?id=d07d7f10-e277-41d0-b501-d4bee42cb069.

At the url param, we can confirm that id param correspond to each user.

Looking through post, there are /post?postId=9 that has carlos name on it. Clicking it redirect us to /blogs?userId=3669be42-ded5-4207-a2c2-a2ce278c2936. So we knew that 3669be42-ded5-4207-a2c2-a2ce278c2936 is corresponding to carlos account.

Exploit

Normally user shouldn't have the permission to access other information. But when logic error happened in the server, you can easily access other profile information and steal their information.

Change id to 3669be42-ded5-4207-a2c2-a2ce278c2936(/my-account?id=3669be42-ded5-4207-a2c2-a2ce278c2936) reveal his API Key, submit is API key and done the flag.