Writeup: 0x00sec CTF - Exercise #3

Writeup CTF 0x00sec Web - Exercise #3

Another day, another ctf challenge. This time no. 3 of the web exercises


As you may have read my previous write-ups you will know that it is always good to checkout the page source first. As you can get a lot of useful information out of it.

And this time, we also proceed the same way.

If we take a look at the page source, we will find a left-over html comment with a nice hint.

  <!-- TODO: -->
  <!-- * Implement secure object references-->

Object References

Well, if you not familiar with this kind of attack you may want to google a bit and after a while you will find tons of articles about IDOR (Insecure Direct Object Reference) attacks.

OWASPfor example is always a good source of information and worth a read.

The Attack

Based on the hint, let’s assume that we are dealing here with an IDOR Vulnerability.

But, … we only see a login field in there. Nothing more. Now it is guessing time.
Let’s try to login with some commonly used credentials. If we try admin:admin we are logged in.

If we take a close look at the URL we see that is has the query parameter user_id=5 . We can assume that this is our user_id.

But what happens if we supply another user_id ?

If we visit user_id=1 we get the profile of another user. Now we just need to test along the ids.

And with user_id=2 we get a profile where the flag is hidden.


This was a fun little challenge which teaches you one of the most important and critical vulnerabilities.

Some examples from hackerone:

Happy Hacking.

1 Like