Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
Check out these HackerPhotos! Nothings wrong here.
Insecure Direct Object Reference
We've created a basic web application called "HackerPhotos" to hightlight some awesome hacker-tagged photography. It is just in BETA and we'd love for you to give it a try and make sure we've not made any mistakes!
You can login to the challenge with the following credentials:
Please note the photos are real photos from Pexel.com. We have credited each author on their photos. (other information you may find is not real)
Completed the challenge?
You can browse the intended solution to this challenge below.
This is based on a real P1 finding where the program was using obscurity throughout whereas integer values could simply be used. It resulted in a site-wide IDOR problem leaking lots of user information.
Login and you're redirected to
photosbeta.php. But did you notice the cookie
userid was also set? Take note of this.
Browse the source of the page (
view-source:) and you'll see:
appfunc.js. Browse this and you see:
var oReq = new XMLHttpRequest();
Querying this URL with your userid will reveal your information. But what is this ID, and how is it encoded?
Well, if you simply just try either one of the following IDs:
6 then you'll discover it doesn't actually matter at all! It will take either integer or encoded values!