Insecure Direct Object Reference (4)

Guessing & Predicting Patterns

View Your Own Profile Another Way

The application we are working with seems to follow a RESTful pattern so far as the profile goes. Many apps have roles in which an elevated user may access content of another. In that case, just /profile won’t work since the own user’s session/authentication data won’t tell us whose profile they want view. So, what do you think is a likely pattern to view your own profile explicitly using a direct object reference?


💡 Look at the previous request for profile, this is similar 💡 You will need data from the previous request for your own profile 💡 Append your id to the previous request (i.e. .../profile/{yourId})

  • Open the Development Tools in the browser, and go to the Network tab.

  • In the lesson 3, click on View Profile.

  • Locate the query to blind in the Network tab and click on Response.

  • Notice the paramter userID, the expected answer is WebGoat/IDOR/profile/userID_value.

Last updated