User ID controlled by request parameter with data leakage in redirect
Let's login using the following credentials:
Username | Password |
---|---|
wiener | peter |
Since we are proxying the traffic through Burp Suite, we will be able to view the request in Proxy > HTTP History
.
We can see that the URI contains the id
parameter set to wiener
.
Let's forward it to the Repeater
for further modification.
Once in the Repeater
, we can set the id
parameter to the following and send the request:
carlos
As we can see the response contains a 302 code. Which means that this is a redirection response.
We can follow the redirection however it is not necessary since we have the API key. Let's submit the key.
We have solved the lab.