User ID controlled by request parameter (Apprentice Level)

In this video, I demonstrate how to solve the User ID Controlled by Request Parameter lab from PortSwigger Web Security Academy. This lab highlights a common access control vulnerability where the application relies on a user-controlled parameter to determine which user’s data is accessed. Instead of enforcing proper authorization checks on the server side, the application uses a request parameter (such as id) to fetch user-specific data. By manipulating this parameter, an attacker can access other users’ information, leading to horizontal privilege escalation. In this walkthrough, we modify the user ID parameter, and demonstrate how unauthorized data access is possible due to missing access control validation. Topics covered in this video: Understanding User ID-based access control vulnerabilities Identifying insecure direct object references (IDOR) Exploiting horizontal privilege escalation Accessing other users’ data This vulnerability is a classic example of Broken Access Control, one of the most critical risks listed in the OWASP Top 10. The labs from PortSwigger Web Security Academy provide hands-on practice for learning real-world web application security issues and improving penetration testing skills. This video is useful for application security engineers, penetration testers, bug bounty hunters, and anyone preparing for web security certifications or interviews.