THM Room https://tryhackme.com/room/idor
TASK 1 : What is an IDOR?
What does IDOR stand for?
Answer : Insecure Direct Object Reference
TASK 2 : An IDOR Example
What is the Flag from the IDOR example website?
Website
IDOR
Flag
Answer : THM{IDOR-VULN-FOUND}
TASK 3 : Finding IDORs in Encoded IDs
What is a common type of encoding used by websites?
Common encoding is Base64. The answer can be found in the text.
Answer : base64
TASK 4 : Finding IDORs in Hashed IDs
What is a common algorithm used for hashing IDs?
Answer : MD5
TASK 5 : Finding IDORs in Unpredictable IDs
What is the minimum number of accounts you need to create to check for IDORs between accounts?
You need to test 2 accounts and swap between those to test the access from one of them while beeing logged to the other one.
Answer : 2
TASK 6 : Where are IDORs located
Update me..
No Answer
TASK 7 : A Practical IDOR Example
What is the username for user id 1?
Create an account on the plateform and see what filed is prefilled on your profile. Then open developer tools and refresh the page. You can see now your customer id. You can open it in a new tab.
Developer tools - Network
Customer ID 1
Answer : adam84
What is the email address for user id 3?
Customer ID 3
Answer : j@fakemail.thm