Broken Access Control Lab

Exploit IDOR, privilege escalation, and forceful browsing vulnerabilities

Level 1: IDOR - Insecure Direct Object Reference (Easy) Level 2: Privilege Escalation - Horizontal (Medium) Level 3: Privilege Escalation - Vertical (Medium) Level 4: Forceful Browsing (Hard)
Easy Level 1: IDOR - Insecure Direct Object Reference

Objective

Access another user's private data by changing the user ID in the API request. You are logged in as user 1 (alice), but you need to access user 2's (bob) data.
Login as alice: POST /api/login {"username":"alice","password":"alice123"}
Then try: GET /api/users/2 with alice's token.

Test Credentials

alice: alice123(user, id:1)
bob: bob456(user, id:2)
charlie: charlie789(user, id:3)
admin: admin321(admin, id:4)
API Request
Quick Login:
API Response
Waiting for request...
// Response will appear here
FLAG CAPTURED!
Hint: This is an IDOR vulnerability. Login as alice, then change the user ID in the URL from /api/users/1 to /api/users/2. The server doesn't verify that the requesting user owns the data.