TryHackMe: OWASP Top 10 || Severity 5 || Broken Access Control

This challenge exploits Insecure Direct Object Reference (IDOR), which is an act of exploiting misconfiguration in the way user input is handled.

For example, when we go to http://10.10.147.196 and login with the username being noot and the password test123, we can see that the URL is http://10.10.147.196/note.php?note=1.

We can then try to manipulate the variable in the URL using Burp Suite to see if we could access the note page for other users:

• Turn on your browser’s proxy and interceptor in Burp Suite → Forward the request to Intruder.
• Load the payload from /usr/share/wordlists/SecLists/Fuzzing/alphanum-case.txt.
• Once we start the attack, you can see that payload with variable 0 (http://10.10.147.196/note.php?note=0) is returning flag{fivefourthree}.

#1 Look at other users notes. What is the flag?

flag{fivefourthree}