[This lab](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) demonstrates a classic **Insecure Direct Object Reference (IDOR)** vulnerability, where the application stores sensitive files (chat transcripts) on the server with **predictable filenames** and provides access via static URLs.
By manipulating the URL, a user can access other users' chat logs — including sensitive credentials. This kind of file-level IDOR is often overlooked and dangerous when access controls are missing.
##### Step-by-Step Exploitation
###### 1. Log In and Trigger a Chat
- Navigate to the **Live Chat** tab
- Send any message in the chat interface
- Click **View transcript** to download or view the conversation log
---
###### 2. Review the Transcript URL
You’ll be redirected to a path like:
```
/download-transcript/5.txt
```
This reveals that transcripts are stored as **plain text files** with numeric filenames.
---
###### 3. Modify the URL to Access Other Files
Change the filename in the URL to a **lower number**, like:
```
/download-transcript/1.txt
```
If access controls are missing, you’ll see a chat transcript from **another user**.
---
###### 4. Find Carlos’s Password
Keep testing IDs (`1.txt`, `2.txt`, etc.) until you find a file containing a message like:
```
Hey Carlos, your password is: s3cr3tpass123
```
✅ You've now obtained Carlos’s login credentials.
![[CleanShot 2025-05-05 at 23.35.58.png]]
---
###### 5. Log In as Carlos
Return to the login form and authenticate as:
```
Username: carlos
Password: s3cr3tpass123
```
Once logged in, the lab will be marked **Solved**.
---
##### Why It Works
- The application uses a **numeric ID in the URL** to reference files
- There is **no authentication or authorization** check to confirm ownership
- Attackers can access other users’ data simply by incrementing or decrementing the ID
---
##### Real-World Examples
- File downloads like `/files/12345.pdf` or `/invoice/2021-00123.pdf`
- Image or log URLs that expose internal names (`/logs/20230321.txt`)
- API endpoints that leak document IDs or attachment references