User ID controlled by request parameter, with unpredictable user IDs (Apprentice Level)

In this video, I demonstrate how to solve the User ID Controlled by Request Parameter, with Unpredictable User IDs lab from PortSwigger Web Security Academy. This lab highlights an advanced access control vulnerability where user data is accessed based on a request parameter, but the application uses non-sequential or unpredictable identifiers. Although the application attempts to protect user data by using hard-to-guess IDs, it still fails to enforce proper authorization checks. This means that if an attacker is able to obtain or discover another user’s identifier, they can access unauthorized data—making this a classic case of Insecure Direct Object Reference (IDOR). In this walkthrough, we analyze the application behavior, identify how user identifiers are used, and demonstrate how to obtain another user’s ID. We then intercept and modify the request using Burp Suite to access restricted data belonging to another user. Topics covered in this video: Understanding IDOR with unpredictable identifiers Why unpredictable IDs are not a secure defense Identifying and exploiting horizontal privilege escalation Discovering user identifiers through application behavior Intercepting and modifying requests using Burp Suite This vulnerability falls under Broken Access Control, one of the most critical risks in the OWASP Top 10. The labs from PortSwigger Web Security Academy provide hands-on practice for learning real-world web application security issues and improving penetration testing skills. This video is useful for application security engineers, penetration testers, bug bounty hunters, and anyone preparing for web security certifications or interviews.