July 7, 2026
Insecure direct object references
introduction:
By Mahmoud Tarek
This lab on portswigger talk about IDOR vulnerability
its a very high vulnerability ,because it make the attacker
to see the data of another one or steal it.
The answer:
he want me to access account with carlos user.
I started by using website to see what happen,
I note that when we chat we can download transaction ,
I intercept the request of download transaction and i can
modify the request by download another transaction of another person
as we see click on view transaction and intercept request with burp
Then modify 2.txt to 1.txt we see transaction of carlos that contain his password.
now, we can login as carlos.