Lab 2: Document Access Control

Difficulty: Medium

Lab Overview

This lab demonstrates an IDOR vulnerability in a document management system. The application allows users to view any document by simply changing the doc_id parameter without proper authorization checks, including confidential documents.

Objective: Access confidential documents by manipulating the doc_id parameter to view sensitive information.

Vulnerable PHP Code

// Vulnerable: No authorization check
$doc_id = $_GET['doc_id'] ?? '1';

// Simulate document database
$documents = [
    1 => ['id' => 1, 'title' => 'Project Alpha', 'owner_id' => 1, ...],
    2 => ['id' => 2, 'title' => 'Financial Report', 'owner_id' => 2, 'confidential' => true, ...],
    3 => ['id' => 3, 'title' => 'Company Strategy', 'owner_id' => 3, 'confidential' => true, ...]
];

// Direct access without checking if user is authorized
if (isset($documents[$doc_id])) {
    $document_data = $documents[$doc_id];
    // Display document data
}

// Example vulnerable usage:
// ?doc_id=1 (own document - allowed)
// ?doc_id=2 (other user's confidential document - unauthorized access)
// ?doc_id=3 (admin's confidential document - unauthorized access)

Document Viewer

Document loaded successfully!

Quick Test URLs:

Document: Project Alpha - Requirements

Document Information

Title: Project Alpha - Requirements

Owner: user1

Created Date: 2024-01-15

File Type: PDF

File Size: 2.5 MB

Confidential: No

Document Content

This document contains the requirements for Project Alpha...

Vulnerability Details

Type: Insecure Direct Object Reference (IDOR)
Severity: High
Parameter: doc_id
Method: GET
Issue: Direct access to documents without authorization

Test Payloads

Try these doc_id values:

1 - Project Alpha (Your Document)
2 - Financial Report (Confidential)
3 - Company Strategy (Admin Confidential)
4 - HR Policies (Admin Confidential)

Example URLs:

2.php?doc_id=2
2.php?doc_id=3

Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios

Unauthorized access to confidential documents
Access to financial reports and sensitive business data
Viewing company strategy and future plans
Access to HR policies and employee information
Data exfiltration and unauthorized data modification
Compliance violations and privacy breaches
Competitive intelligence gathering

Mitigation Strategies

Implement proper authorization checks before accessing documents
Use indirect object references instead of direct database IDs
Implement proper access control lists (ACLs) for documents
Use role-based access control (RBAC) for document access
Implement document-level permissions and ownership checks
Use whitelist-based validation for allowed documents
Implement proper logging and monitoring for document access