Insecure Direct Object References — IDOR

Lab#

Insecure direct object references · Apprentice

Solution#

Given#

This lab stores user chat logs directly on the server's file system, and retrieves them using static URLs.

Solve the lab by finding the password for the user `carlos`, and logging into their account.

Analyzing the task#

The chat history is stored on the server's file system and accessible via static URLs. We need to find the password for user carlos, apparently by finding it in the user's transcripts.

Recon#

Open the site, see Live Chat. Open it, write a couple of messages. Oh, there's a View transcript button, click it — downloads a TXT file.

Okay, let's see what happened in Burp. On clicking View transcript:

POST /download-transcript

Returns HTTP/2 302 Found:

Location: /download-transcript/2.txt

So it's a redirect to download the file.

Okay, let's try guessing other transcripts:

Location: /download-transcript/3.txt
Location: /download-transcript/4.txt
Location: /download-transcript/5.txt

No transcript. Didn't work right away. Throw it into Intruder, params from 0 to 100 to start. Ha, found just one — 1.

GET /download-transcript/1.txt

You: Ok so my password is v6skv9vlon85s20dcidq. Is that right?

Password obtained. Log in to the site. Lab solved.