Lab 1: Basic User Profile Access

IDOR in user profile viewing functionality

Difficulty: Low

Lab Overview

This lab demonstrates a basic IDOR vulnerability in a user profile system. The application allows users to view any user's profile by simply changing the user_id parameter without proper authorization checks.

Objective: Access other users' profiles by manipulating the user_id parameter to view sensitive information.

Vulnerable PHP Code 
// Vulnerable: No authorization check
$user_id = $_GET['user_id'] ?? $_SESSION['user_id'];

// Simulate user database
$users = [
    1 => ['id' => 1, 'username' => 'user1', ...],
    2 => ['id' => 2, 'username' => 'user2', ...],
    3 => ['id' => 3, 'username' => 'admin', ...]
];

// Direct access without checking if user is authorized
if (isset($users[$user_id])) {
    $profile_data = $users[$user_id];
    // Display profile data
}

// Example vulnerable usage:
// ?user_id=1 (own profile - allowed)
// ?user_id=2 (other user's profile - unauthorized access)
// ?user_id=3 (admin profile - unauthorized access)
User Profile Viewer
User not found!
Quick Test URLs:
Vulnerability Details
  • Type: Insecure Direct Object Reference (IDOR)
  • Severity: High
  • Parameter: user_id
  • Method: GET
  • Issue: Direct access to user profiles without authorization
Test Payloads

Try these user_id values:

  • 1 - User 1 profile
  • 2 - User 2 profile
  • 3 - Admin profile
  • 999 - Non-existent user

Example URLs:

  • 1.php?user_id=2
  • 1.php?user_id=3
Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios
Mitigation Strategies
  • Implement proper authorization checks before accessing resources
  • Use indirect object references instead of direct database IDs
  • Implement proper access control lists (ACLs)
  • Use role-based access control (RBAC)
  • Implement proper session management
  • Use whitelist-based validation for allowed resources
  • Implement proper logging and monitoring