• Donald Ashdown

Advent of Cyber 2021 Day 1 - Web Exploitation

Updated: Jan 3

Below is the Try Hack Me official story for Day 1, and below this our my solutions.


The inventory management systems used to create the gifts have been tampered with to frustrate the elves. It's a night shift, and McStocker comes to McSkidy panicking about the gifts all being built wrong. With no managers around to fix the issue, McSkidy needs to somehow get access and fix the system and keep everything on track to be ready for Christmas!

Learning Objectives

  1. What is an IDOR vulnerability?

  2. How do I find and exploit IDOR vulnerabilities?

  3. Challenge Walkthrough.

What is an IDOR vulnerability?

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability. An access control vulnerability is when an attacker can gain access to information or actions not intended for them. An IDOR vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), and too much trust has been placed on that input data, and the web application does not validate whether the user should, in fact, have access to the requested object.

How do I find and exploit IDOR vulnerabilities?

As previously mentioned, an IDOR vulnerability relies on changing user-supplied data. This user-supplied data can mainly be found in the following three places:

Query Component:

Query component data is passed in the URL when making a request to a website. Take, for instance, the following screenshot of a URL.

We can breakdown this URL into the following:

Protocol: https://

Domain: website.thm

Page: /profile

Query Component: id=23

Here we can see the /profile page is being requested, and the parameter id with the value of 23 is being passed in the query component. This page could potentially be showing us personal user information, and by changing the id parameter to another value, we could view other users data.

Post Variables:

Examining the contents of forms on a website can sometimes reveal fields that could be vulnerable to IDOR exploitation. Take, for example, the following HTML code for a form that updates a user's password.

<form method="POST" action="/update-password">
    <input type="hidden" name"user_id" value="123">
    <div>New Password:</div>
    <div><input type="password" name="new_password"></div>
    <div><input type="submit" value="Change Password">

You can see from the highlighted line that the user's id is being passed to the webserver in a hidden field. Changing the value of this field from 123 to another user_id may result in changing the password for another user's account.


To stay logged into a website such as this one, cookies are used to remember your session. Usually, this will involve sending a session id which is a long string of random hard to guess text such as 5db28452c4161cf88c6f33e57b62a357, which the webserver securely uses to retrieve your user information and validate your session. Sometimes though, less experienced developers may store user information in the cookie its self, such as the user's ID. Changing the value of this cookie could result in displaying another user's information. See below for an example of how this might look.

GET /user-information HTTP/1.1
Host: website.thm
Cookie: user_id=9
User-Agent: Mozilla/5.0 (Ubuntu;Linux) Firefox/94.0

Hello Jon!

GET /user-information HTTP/1.1
Host: website.thm
Cookie: user_id=5
User-Agent: Mozilla/5.0 (Ubuntu;Linux) Firefox/94.0

Hello Martin!

IDOR in the wild Seeing a product, user, or service identifier in the URL or otherwise is a must to test. IDOR vulnerabilities can reveal sensitive information, as well as potentially giving you access to usually restricted site functionality. For security researchers, IDOR vulnerabilities can be impactful, and reporting them can yield a good bug bounty; see this article, where an IDOR vulnerability report to PayPal had a $10,500 payout.


We are tasked with locating Santa's account and determining their position in the company.

We proceed to view our options relating to builds, inventory and "your activity".

Viewing "Your Activity" shows us employee information and we have a possible IDOR vulnerability as the user identification number is displayed in the URL. This should be encoded at a minimum or retrieved from a back end device using PHP or Java instead.

Changing the "id" in the URL we can view different employees and we find Santa and determine he is the boss!

We continue with the same IDOR technique and eventually find McStocker and his position at the company.

Continuing with IDOR technique we eventually find this mischievous manager in the inventory system and we assume he is up to no good based on all the SKU changes.

From here we simply revert the changes and this ultimately fixes the inventory management system and we get the flag.

The last 2 questions are just general information.

20 views0 comments