Check out these HackerPhotos! Nothings wrong here.

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Check out these HackerPhotos! Nothings wrong here.

Begin challenge

Medium Insecure Direct Object Reference

We've created a basic web application called "HackerPhotos" to hightlight some awesome hacker-tagged photography. It is just in BETA and we'd love for you to give it a try and make sure we've not made any mistakes!

You can login to the challenge with the following credentials:

Username: phototest Password: phototest1

Please note the photos are real photos from Pexel.com. We have credited each author on their photos. (other information you may find is not real)

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

This is based on a real P1 finding where the program was using obscurity throughout whereas integer values could simply be used. It resulted in a site-wide IDOR problem leaking lots of user information.

Browse the source of the page (view-source:) and you'll see: appfunc.js. Browse this and you see:

    var oReq = new XMLHttpRequest();
        oReq.addEventListener("load", reqListener);
        oReq.open("GET", "http://www.bugbountytraining.com/challenges/HackerPhotos/getUser.php?user="+userid);
        oReq.withCredentials=true;
        oReq.send();

Querying this URL with your userid will reveal your information. But what is this ID, and how is it encoded?

Well, if you simply just try either one of the following IDs: 1, 2, 3, 4, 5, 6 then you'll discover it doesn't actually matter at all! It will take either integer or encoded values!

BugBountyHunter

Important information