Writeup CTF 0x00sec Web - Exercise #3
Another day, another ctf challenge. This time no. 3 of the web exercises
As you may have read my previous write-ups you will know that it is always good to checkout the page source first. As you can get a lot of useful information out of it.
And this time, we also proceed the same way.
If we take a look at the page source, we will find a left-over html comment with a nice hint.
<!-- TODO: --> <!-- * Implement secure object references-->
Well, if you not familiar with this kind of attack you may want to google a bit and after a while you will find tons of articles about IDOR (Insecure Direct Object Reference) attacks.
OWASPfor example is always a good source of information and worth a read.
Based on the hint, let’s assume that we are dealing here with an IDOR Vulnerability.
But, … we only see a login field in there. Nothing more. Now it is guessing time.
Let’s try to login with some commonly used credentials. If we try
admin:admin we are logged in.
If we take a close look at the URL we see that is has the query parameter
user_id=5 . We can assume that this is our
But what happens if we supply another
If we visit
user_id=1 we get the profile of another user. Now we just need to test along the ids.
user_id=2 we get a profile where the flag is hidden.
This was a fun little challenge which teaches you one of the most important and critical vulnerabilities.
Some examples from hackerone: