Insecure Direct Object Reference

Let's click on "Insecure Direct Object Reference" Challenge.

Hint! The Key for this level is stored on Administrator Profile.

IDOR_SS_1a

Return to Burp. In the Proxy "Intercept" tab, ensure "Intercept is on".

MD_3

We enter the "Refresh Your Profile Button" and Capture the Request using Burp Proxy

From the Captured request we found that "username = guest"

We are **`modifying`** the user name from **`"guest"`** to **`"admin"`**  and forward the request to the server.

![IDOR_SS_3](img/IDOR_SS_3.PNG)

You would be able to view the Server Response with the Result Key

Past the key in the search box andSubmit

Last updated

Was this helpful?