Home IDOR
Post
Cancel

IDOR

THM Room https://tryhackme.com/room/idor

TASK 1 : What is an IDOR?

What does IDOR stand for?

Answer : Insecure Direct Object Reference

TASK 2 : An IDOR Example

What is the Flag from the IDOR example website?

Website Website

IDOR IDOR

Flag Flag

Answer : THM{IDOR-VULN-FOUND}

TASK 3 : Finding IDORs in Encoded IDs

What is a common type of encoding used by websites?

Common encoding is Base64. The answer can be found in the text.

Answer : base64

TASK 4 : Finding IDORs in Hashed IDs

What is a common algorithm used for hashing IDs?

Answer : MD5

TASK 5 : Finding IDORs in Unpredictable IDs

What is the minimum number of accounts you need to create to check for IDORs between accounts?

You need to test 2 accounts and swap between those to test the access from one of them while beeing logged to the other one.

Answer : 2

TASK 6 : Where are IDORs located

Update me..

No Answer

TASK 7 : A Practical IDOR Example

What is the username for user id 1?

Create an account on the plateform and see what filed is prefilled on your profile. Then open developer tools and refresh the page. You can see now your customer id. You can open it in a new tab.

Developer tools - Network Developer tools - Network

Customer ID 1 Customer ID 1

Answer : adam84

What is the email address for user id 3?

Customer ID 3 Customer ID 3

Answer : j@fakemail.thm

This post is licensed under CC BY 4.0 by the author.