π― Objective
Gain unauthorized access to the administrator account and delete the user carlos.
π§ Vulnerability Overview
The application is vulnerable to Insecure Direct Object Reference (IDOR).
This occurs when:
- The application uses user-controlled input (id parameter)
- There is no proper authorization check
- Users can access other users' data by modifying request parameters
π Reconnaissance
After logging in with the provided credentials:
GET /my-account?id=wiener HTTP/1.1The application returns account details for the logged-in user.π Observation:
- The
idparameter directly references the username - No validation is performed to confirm ownership
βοΈ Exploitation Steps
1οΈβ£ Login as normal user
Use supplied credentials:
username: wiener
password: peter
2β£ Access account page
Navigate to:
/my-account?id=wiener3οΈβ£ Intercept request using Burp Suite
- Turn Intercept ON
- Capture the request
- Send to Repeater
4οΈβ£ Modify the id parameter
Change:
GET /my-account?id=wiener
To:
GET /my-account?id=administrator
5οΈβ£ Analyze the response
The server responds with:
username: administrator
password: eeun327dee7ixb1x1g2oπ₯ Sensitive information disclosure confirmed.
6οΈβ£ Login as administrator
Use extracted credentials:
username: administrator
password:eeun327dee7ixb1x1g2o7οΈβ£ Delete user "carlos"
- Navigate to admin panel
- Locate user:
carlos - Delete the user
β Lab completed successfully π
β οΈ Impact
This vulnerability allows:
- Unauthorized access to other users' accounts
- Exposure of sensitive data (passwords)
- Full account takeover (including admin)
π‘οΈ Mitigation
To prevent IDOR vulnerabilities:
- β Implement server-side authorization checks
- β Ensure users can only access their own data
- β Avoid exposing direct object references (use indirect IDs)
- β Validate session ownership before returning data
𧩠Key Takeaway
Never trust user-controlled input for access control decisions.
π₯ Good job β this is so classic IDOR,
very common in bug bounty.