Day 5: Broken access control

Please note: This is part five of a 10-part series on TryHackMe OWASP top 10 room

Broken access control vulnerability occurs when a website visitor is able to access pages or resources that they are not authorized to.

This vulnerability can lead to exposure of sensitive information, or allow an attacker unauthorized privileged access.

LAB : Broken access control (IDOR Challenge)

In this lab, we are expected to use Insecure Direct Object Reference (IDOR)to gain unauthorized access.

IDOR is whereby the attacker abuses misconfigurations in user input to gain unauthorized access to the targeted application.

The lab requires us to log in with username noot and password test1234

Once you log in, this is the landing page

Note the website URL exposes the assigned value of the current note(displayed on the page). This means that there are other existing notes assigned different values.

Trying note 2:

There is nothing on this page, meaning that currently there is no note existing with the value

Trying note 0 displays the note with the flag value;

In a real-world situation, this flag value could be sensitive information such as user credit card numbers among others.