Level 9: Insecure Direct Object References

Objective

Solve the lab by finding the password for the user carlos and logging into their account.

Explanation

This lab demonstrates an Insecure Direct Object Reference (IDOR) vulnerability, where sensitive resources (in this case, chat transcripts) are stored on the server with predictable file names and accessed without proper authorization checks. By modifying a direct object reference (e.g., a file name or ID), an attacker can access other users' private data.

Resolution

1. Log in using the provided credentials or access the site anonymously.

2. Click on the "Live Chat" button to start a conversation with a bot.

3. After chatting, click on "View transcript", which will attempt to download a .txt file named with an incrementing number, such as 2.txt, 3.txt, etc.

4. Notice that the file names are static and sequential. This suggests the presence of an IDOR vulnerability.

5. Intercept the request for the transcript using Burp Suite.

6. Modify the requested file (e.g., change 5.txt to 1.txt) and forward the request.

7. If successful, the response will contain the chat transcript of the user carlos, including their plaintext password.

1. Use the retrieved password to log in as carlos.

2. Lab is solved once you're logged into the carlos account.

Mitigation

• Access Control: Enforce proper access controls on all resource access. Every request to access a file or object should be verified against the current user's permissions.

• Unpredictable Identifiers: Use unpredictable and non-sequential identifiers (like UUIDs) to make IDOR attacks more difficult.

• Audit Logs: Implement logging and monitoring to detect abnormal access patterns, such as brute-force enumeration of resources.

• Least Privilege: Ensure users can only access their own data, and enforce it at the server level — never trust user input to control access to internal objects.