User ID controlled by request parameter

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab has a horizontal privilege escalation vulnerability on the user account page.

To solve the lab, obtain the API key for the user carlos and submit it as the solution.

You can log in to your own account using the following credentials: wiener:peter

Point: APPRENTICE

Recon

Logged into wiener account, the url redirect us to /my-account?id=wiener.

At the url param, we can confirm that id param correspond to each user.

Exploit

Normally user shouldn't have the permission to access other information. But when logic error happened in the server, you can easily access other profile information and steal their information.

Change id to carlos(/my-account?id=carlos) reveal his API Key, submit is API key and done the flag.