[This lab](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) demonstrates a classic **Insecure Direct Object Reference (IDOR)** vulnerability, where the application stores sensitive files (chat transcripts) on the server with **predictable filenames** and provides access via static URLs. By manipulating the URL, a user can access other users' chat logs — including sensitive credentials. This kind of file-level IDOR is often overlooked and dangerous when access controls are missing. ##### Step-by-Step Exploitation ###### 1. Log In and Trigger a Chat - Navigate to the **Live Chat** tab - Send any message in the chat interface - Click **View transcript** to download or view the conversation log --- ###### 2. Review the Transcript URL You’ll be redirected to a path like: ``` /download-transcript/5.txt ``` This reveals that transcripts are stored as **plain text files** with numeric filenames. --- ###### 3. Modify the URL to Access Other Files Change the filename in the URL to a **lower number**, like: ``` /download-transcript/1.txt ``` If access controls are missing, you’ll see a chat transcript from **another user**. --- ###### 4. Find Carlos’s Password Keep testing IDs (`1.txt`, `2.txt`, etc.) until you find a file containing a message like: ``` Hey Carlos, your password is: s3cr3tpass123 ``` ✅ You've now obtained Carlos’s login credentials. ![[CleanShot 2025-05-05 at 23.35.58.png]] --- ###### 5. Log In as Carlos Return to the login form and authenticate as: ``` Username: carlos Password: s3cr3tpass123 ``` Once logged in, the lab will be marked **Solved**. --- ##### Why It Works - The application uses a **numeric ID in the URL** to reference files - There is **no authentication or authorization** check to confirm ownership - Attackers can access other users’ data simply by incrementing or decrementing the ID --- ##### Real-World Examples - File downloads like `/files/12345.pdf` or `/invoice/2021-00123.pdf` - Image or log URLs that expose internal names (`/logs/20230321.txt`) - API endpoints that leak document IDs or attachment references