Medium
Level 2: Privilege Escalation - Horizontal
Objective
Edit another user's profile data. Login as alice (user 1), then modify bob's (user 3) data.
Login: POST /api/login {"username":"alice","password":"alice123"}
Then: PUT /api/users/3 with alice's token and a JSON body.
Test Credentials
| alice | : alice123 | (user, id:1) |
| bob | : bob456 | (user, id:2) |
| charlie | : charlie789 | (user, id:3) |
| admin | : admin321 | (admin, id:4) |
API Request
Quick Login:
API Response
Waiting for request...
// Response will appear here
FLAG CAPTURED!
Hint: Login as alice (user 1), then send a PUT request to
/api/users/3 with a JSON body like {"email": "hacked@ids.local"}. The server allows any authenticated user to modify any other user's data.