Lab: User ID controlled by request parameter

login as wiener:peter

we can see the id in the url parameter

and the api key in the page

send it to repeater and just change the id parameter from wiener to carlos

we can now access the api key of user carlos

just submit the solution

PreviousAccess ControlNextLab: Unprotected admin functionality

Last updated