Guessing & Predicting Patterns

View Your Own Profile Another Way

The application we are working with seems to follow a RESTful pattern so far as the profile goes. Many apps have roles in which an elevated user may access content of another. In that case, just /profile won’t work since the own user’s session/authentication data won’t tell us whose profile they want view. So, what do you think is a likely pattern to view your own profile explicitly using a direct object reference?

Solution

💡 Look at the previous request for profile, this is similar 💡 You will need data from the previous request for your own profile 💡 Append your id to the previous request (i.e. .../profile/{yourId})

• Open the Development Tools in the browser, and go to the Network tab.

• In the lesson 3, click on View Profile.

• Locate the query to blind in the Network tab and click on Response.

• Notice the paramter userID, the expected answer is WebGoat/IDOR/profile/userID_value.