# Insecure Direct Object Reference

Let's click on `"Insecure Direct Object Reference"` Challenge.

`Hint!` The Key for this level is stored on Administrator Profile.

![IDOR\_SS\_1a](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwOL1Fk0woLWBx2J%2Fidor_ss_1a.png?generation=1547571285860114\&alt=media)

Return to `Burp`. In the Proxy `"Intercept"` tab, ensure `"Intercept is on"`.

![MD\_3](https://github.com/vermava/Appsec-california/tree/cdbaad6527a8e2c32b29a8c303720684407c9a75/4-owasp-top10/insecure-direct-object-reference/img/MD_3.png)

We enter the `"Refresh Your Profile Button"` and Capture the Request using Burp Proxy

<div align="left"><img src="https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-LWHQt-EMiiOHTuosAKW%2F-LWHQwOPS4Vot0GUT8vf%2Fidor_ss_1.png?generation=1547571289778024&#x26;alt=media" alt=""></div>

**From the Captured request we found that `"username = guest"`**

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-Lz8VyMpV2A7EOeJpxJm%2F-Lz8bE1ihp6GodBE8cZz%2Fimage.png?alt=media\&token=c82fa5ea-eed6-4db2-9d27-288ceac22367)

```
We are **`modifying`** the user name from **`"guest"`** to **`"admin"`**  and forward the request to the server.

![IDOR_SS_3](img/IDOR_SS_3.PNG)
```

You would be able to view the Server Response with the **Result Key**

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-Lyyn70vVmYM2wK0Vh4z%2F-LyynKVv9F3K6JwEVODJ%2Fimage.png?alt=media\&token=b6984170-6ea8-4b80-8ae1-4513d49aa7fc)

Past the key in the search box an&#x64;**`Submit`**

![](https://990422818-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LWGXF4oLcghA1GLq0CM%2F-Lyyn70vVmYM2wK0Vh4z%2F-LyynNmkq4GNwPCMS8Wq%2Fimage.png?alt=media\&token=dc1b1afa-2fa8-4eb7-8b70-59c608258586)