From the challenge name "Idooro", we can already suspect the presence of an IDOR (Insecure Direct Object Reference) vulnerability. This type of issue occurs when an application exposes internal object references without proper authorization checks. You can read more about this vulnerability on PortSwigger, which provides detailed explanations and practical examples.

"At the Started of the challenge, we notice a simple web application interface."

so Let's to register

username = Z3DX &&Password = Z3DX

after register let's to login

After logging in, we notice the following URL: /profile/67. This suggests that the number represents a user ID, which indicates a possible IDOR (Insecure Direct Object Reference) vulnerability.

By simply modifying the ID from 67 to 66, the application loads another user's profile without proper authorization checks, and the flag is revealed.

After change

So The Flag is : Flag{QCFAQWJkVzRaTUQ3U3NyRCtlZTkyZG1XWTZBTXRTdkdmOXBkMTRUMmJGVEtRbUVkK3pjQVVCNUdRSFBVdDVGcm1vWmM3ODQyNjNmZTUwMzI4ZDU=}

follow me on LinkedIn for more 🚀

See you soon! 👋😄

#CyberSecurity #WebPentesting #CTF#Z3DX