IDOR - L1
IDOR vulnerability
You are a penetration tester auditing the website craw.in, a new social media platform. You've created an account and are exploring the user profile features. You notice that user profile pages are accessed using URLs like craw.in/profile?id=123.
Question 1.
You notice that when viewing your own profile, the URL includes your user ID. What initial testing approach could reveal an IDOR vulnerability?
Question 2.
After changing the id parameter in the URL, you see another user's profile. What type of access control vulnerability is likely present?
Question 3.
While viewing another user's profile, you are able to modify their profile information (e.g., username, bio) using your account. Which POST parameter must be crafted correctly for this IDOR to succeed?
Question 4.
If you discovered that updating a user's email requires a confirmation link sent to the old email, would this completely mitigate the IDOR vulnerability if other profile fields were still modifiable?
Question 5.
You observe that the application retrieves images from a server using a path including the user ID, e.g., craw.in/images/user/123/profile.jpg. What vulnerability might arise if you can directly access these image paths with other user IDs?
Question 6.
The user profile contains a "posts" section. The application shows a list of posts the user created. What type of parameter are you looking for to change on this section of page ?
Question 7.
When the value of authorID is manipulated, the application shows different posts. Which parameter should you send when deleting post to delete other user post ?
Question 8.
You find an endpoint at craw.in/api/v1/user/update. By manipulating the request data, you're able to change the email address associated with another user's account, even without their permission. What is the consequence of this ?
Question 9.
You tried to access another user information but the value is encrypted what you should do now ?
Question 10.
What type of attack can be mitigated with the right implementation of direct object reference ?
Question 11.
You find a section on the website that requires to update the security question for password reset. Can you manipulate other user security question with IDOR?
Question 12.
The developer fixed the IDOR vulnerability. Now all actions require you to provide the right user id to be modified. What can you do next to bypass the limitation?
Question 13.
What is the main purpose of using a UUID instead of sequential IDs to prevent IDOR vulnerabilities?