JESS' SECURITY QUEST
OWASP TOP 10 View Guide

IDOR - Insecure Direct Object Reference

Beginner A01:2021 - Access Control 100 points
Challenge Description

This employee portal uses sequential numeric IDs to reference user profiles, documents, and orders. The application doesn't verify that the currently logged-in user has permission to access the requested resource.

You are logged in as user ID 1004. Your goal is to access the admin user's profile (ID 1001) to find the secret flag.

Learning Objective: Understand how IDOR vulnerabilities allow unauthorized access to other users' data through predictable identifiers.

Your Session:
User ID: 1004
Your Resources: Profile #1004, Documents: #103, Orders: #5003
View User Profile (Vulnerable)
Profile ID:
Request: GET /api/users/1004
View Document (Vulnerable)
Document ID:
Request: GET /api/documents/103
View Order (Vulnerable)
Order ID:
Request: GET /api/orders/5003
Submit Flag
Hints -10% per hint
ID Scanner

Scan a range of profile IDs:

An error has occurred. This application may no longer respond until reloaded. Reload Dismiss