Scribd Logo
Upload

Welcome to Scribd!

  • Lab 7 - User ID Controlled by Request Parameter, With Unpredictable User IDs

    Uploaded by

    DODOXD Mekheimer
    62 views4 pages
    A user accessed another user's account page by intercepting a request and replacing the user ID parameter with a different ID, gaining unauthorized access. The document outlines logging in as one user, observing a request to view another user's blog, copying that user's ID, and replacing the ID in the account page request to access the other user's account page instead of the intended one. It concludes with lessons to not include user identifiers in requests and to not allow identifiers to be modified to access another user's data.

    Original Description:

    Original Title

    Lab 7 - User ID controlled by request parameter, with unpredictable user IDs

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A user accessed another user's account page by intercepting a request and replacing the user ID parameter with a different ID, gaining unauthorized access. The document outlines logging in as one user, observing a request to view another user's blog, copying that user's ID, and replacing the ID in the account page request to access the other user's account page instead of the intended one. It concludes with lessons to not include user identifiers in requests and to not allow identifiers to be modified to access another user's data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    62 views4 pages

    Lab 7 - User ID Controlled by Request Parameter, With Unpredictable User IDs

    Uploaded by

    DODOXD Mekheimer
    A user accessed another user's account page by intercepting a request and replacing the user ID parameter with a different ID, gaining unauthorized access. The document outlines logging in as one user, observing a request to view another user's blog, copying that user's ID, and replacing the ID in the account page request to access the other user's account page instead of the intended one. It concludes with lessons to not include user identifiers in requests and to not allow identifiers to be modified to access another user's data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Lab 7 - User ID controlled by request parameter, with unpredictable

    user IDs
    Ahmed Khaled Saad Ali ID:1809799
    Lab Progress & Screenshots:
    Logged in as wiener.

    We found out carlos has written a blog, so we turn Intercept ON and see what we
    get in request.
    We find carlos’s userId.

    so we copy it and go to wiener’s account page to replace it with wiener’s userId.


    Carlos’s account page accessed, API Key copied, lab solved.
    Lessons:
    1) Make sure that when a user clicks to view another user they don’t send
    identifiers to that user in requests.
    2) Don’t simply include identifiers of a user in when he sends a request.

    You might also like