Hard
⭐ 200 pts
Access Control
IDOR
Broken Access Control (IDOR)
Access resources belonging to other users by manipulating direct object references. Exposes confidential data through predictable IDs.
Hint
The API returns user data based on the ?id= parameter in the URL. The server doesn't verify whether the requesting user is authorized to access that specific resource. What happens when you change the ID?
Objective
- → You are currently logged in as user_id = 1
- → Enumerate other user IDs to find a privileged account
- → Access that user's private data to reveal the flag
- → Submit the flag below to claim your 200 points
Submit Flag
You must be logged in to submit flags and earn points.
// API request
GET
/api/user?id=
1
UserProfile API v2.1
U
Normal User
role: user
user_id
1
user@app.com
private_data
[ access denied ]
ID: 1