Skip to main content

🗂️PortSwigger Lab Writeup: Insecure Direct Object References

PortSwigger lab banner: Insecure direct object references

🎯 Objective

The objective of this lab is to exploit a broken access control where the app has an IDOR vulnerability. The goal is to retrieve the password of user carlos and log in onto their account.

  • Lab URL: https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references
  • Category: Access Control
  • Difficulty: Apprentice

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Shopping website homepage with live chat feature visible
    Login page interface with username and password fields
  • At first glance, the website seems to be a shopping website with a login page and live chat feature. In the lab description, it is mentioned that we need to find the password of carlos.

📝Step 2: Find IDOR

  • Test the Live chat feature to see if there is any vulnerability. Live chat window showing transcript option and file download URL
  • Click on View transcript to see what happens.
  • We see that a file named 2.txt is being download from a URL. Browser download dialog showing 2.txt file being downloaded from URL with sequential naming
  • This might be the place where there is IDOR.
  • Now, Copy this URL and change the 2.txt to 1.txt Modified URL request for 1.txt showing successful access to different user's transcript
  • A new file named 1.txt is being downloaded.
  • Open this file and we find a password in this which may be the password of carlos. Text file content showing carlos username and password extracted via IDOR

🧑‍💼Step 3: Login as carlos

  • Login as carlos with the password we got from the 1.txt file. Login form with carlos username and password obtained via IDOR
  • And Finally, the Lab is solved. Lab solved confirmation page after successfully logging in as carlos

🧠 Conclusion

  • This lab demonstrated Insecure Direct Object References (IDOR) through predictable file identifiers. By sequentially changing the filename from 2.txt to 1.txt, we accessed another user's transcript file containing their password without any authorization checks.
  • The impact is critical — IDOR vulnerabilities allow attackers to access, modify, or delete any user's data by simply guessing or enumerating object identifiers, leading to account compromise and data breaches.
  • Fix: implement proper access control checks on all object references, validate that the current user has permission to access the requested resource, use cryptographically strong and unpredictable identifiers (UUIDs) instead of sequential numbers, and avoid relying on user input alone to identify objects without server-side authorization validation.