Insecure direct object references

This lab stores user chat logs directly on the server's file system, and retrieves them using static URLs.

Upon entering the chat interface at https://****.web-security-academy.net/chat, I utilized the "View transcript" functionality to access and download various text files. Upon closer observation, I discerned that the transcripts were essentially text files labeled with incrementing numbers in their filenames, such as:

GET /download-transcript/2.txt HTTP/2
Host: ****.web-security-academy.net
Cookie: session=NZ5NRKXq59zpSMn5aODHnVAQvhdF1rm7

To access sensitive information, I simply altered the filename to 1.txt and reviewed the text. Within the chat transcript, I discovered a password. Logging in as "carlos" with this password successfully solved the lab.

PreviousUser ID controlled by request parameter with password disclosure NextURL-based access control can be circumvented

Last updated 1 year ago