Skip to main content

User ID controlled by request parameter with data leakage in redirect

1

Let's login using the following credentials:

UsernamePassword
wienerpeter

2

Since we are proxying the traffic through Burp Suite, we will be able to view the request in Proxy > HTTP History.

3

We can see that the URI contains the id parameter set to wiener.

Let's forward it to the Repeater for further modification.

Once in the Repeater, we can set the id parameter to the following and send the request:

carlos

4

As we can see the response contains a 302 code. Which means that this is a redirection response.

We can follow the redirection however it is not necessary since we have the API key. Let's submit the key.

6

We have solved the lab.

7