This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response.
To solve the lab, obtain the API key for the user
carlos
and submit it as the solution.You can log in to your own account using the following credentials:
Lab link.wiener:peter
We log in with the given user login information. We see the username in the id value.
If we make the id value Carlos. We will not be able to access the user Carlos but the API Key will be disclosed in the response.
We send the API key and we solve the problem.