This is the write up for the room IDOR on Tryhackme and it is part of the Jr Penetration Tester Path
Make a connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment.
Tasks IDOR
Task 1
1.1 What does IDOR stand for?
Answer: Insecure Direct Object Reference
Task 2
2.1 What is the Flag from the IDOR example website?
Click on the big green View Site
Click on Order Confirmation
Change the ID to 1000
The flag will reveal once you change the number 12345 to 1000 and press enter
Task 3
Read all that is in the task and you already know the answer
3.1 What is a common type of encoding used by websites?
Answer: base64
Task 4
4.1 Read all that is in the task and you already know the answer
Answer: MD5
Task 5
5.1 What is the minimum number of accounts you need to create to check for IDORs between accounts?
Answer: 2
Task 6
Read all that is in this task and press complete
Task 7
Start the machine attached to this room
Once started navigate to the correct URL with firefox given to you when the machine is full started mine was https://10-10-166-159.p.thmlabs.com
Click on customers and create an account by clicking on sign up here
Now that you are logged in click on your account
Press F12 to open the developer tools in firefox. Then click on the tab network. If you do not see anything then press reload
Click on the line where is saying customer?id=
Look at the URL on the right
Now right click on the line and click on Edit and Resend
Edit the ID number to 1
Once send click on the line that was sent and you see the information in the response tab
7.1 What is the username for user id 1?
Answer: adam84
7.2 What is the email address for user id 3?
USe the same technique but change the ID to 3
Answer: j@fakemail.thm
