Writeup CTF 0x00sec Web - Exercise #3
Another day, another ctf challenge. This time no. 3 of the web exercises
Challenge
As you may have read my previous write-ups you will know that it is always good to checkout the page source first. As you can get a lot of useful information out of it.
And this time, we also proceed the same way.
If we take a look at the page source, we will find a left-over html comment with a nice hint.
<!-- TODO: -->
<!-- * Implement secure object references-->
Object References
Well, if you not familiar with this kind of attack you may want to google a bit and after a while you will find tons of articles about IDOR (Insecure Direct Object Reference) attacks.
OWASPfor example is always a good source of information and worth a read.
The Attack
Based on the hint, let’s assume that we are dealing here with an IDOR Vulnerability.
But, … we only see a login field in there. Nothing more. Now it is guessing time.
Let’s try to login with some commonly used credentials. If we try admin:admin
we are logged in.
If we take a close look at the URL we see that is has the query parameter user_id=5
. We can assume that this is our user_id
.
But what happens if we supply another user_id
?
If we visit user_id=1
we get the profile of another user. Now we just need to test along the ids.
And with user_id=2
we get a profile where the flag is hidden.
Conclusion
This was a fun little challenge which teaches you one of the most important and critical vulnerabilities.
Some examples from hackerone:
- https://hackerone.com/reports/681473
- https://hackerone.com/reports/380410
- https://hackerone.com/reports/148764
Happy Hacking.