Check out these HackerPhotos! Nothings wrong here.

Bug Bounty Hunter

Check out these HackerPhotos! Nothings wrong here

---

This afternoon, I was like, “Let me practice some labs on IDOR.” I just opened my laptop and searched for some IDOR stuff. Then I found these bug bounty hunter labs by Zseano on IDOR. So, I solved the labs, and let’s take a look at ‘em. To be honest, the labs just give you some description—they don’t even give you pointers like “look for flags” or anything, kinda similar to Hacker101 CTF. I think the purpose of the labs is to teach manual testing. So, let’s leave that rant aside. Here’s the lab description if you wanna follow along…… idor

---

We’ve created a basic web application called “HackerPhotos” to hightlight some awesome hacker-tagged photography. It is just in BETA and we’d love for you to give it a try and make sure we’ve not made any mistakes!

With that being said, log in to your account. At first, when I logged in, I tried to look for some button where I could click but found nothing. I was just like, “What the…?”

So, I checked my web proxy and found a JS extension. So, let’s take a look at it.

Then I found a path in the JS file where it appears that the web application retrieves a user ID from a cookie and uses it to fetch user data from a server.

• So, I checked my cookies and saw some long value in the user ID, but how can this be guessable? But, you know, thinking in my head, let me just copy this path and add a numerical value. then it appeared I could see some information.

Then I sent the request to automate enumeration, thinking maybe I could get other users’ information. Then I found 7 people. Wow, what an IDOR!

So, that’s it, guys. The tip is to just use the application like a normal user, then check the JS file to understand the application. Catch you guys later, I’ll be dropping more blogs.

Here is my Twitter account @T3chnocr4tX