Customer API IDOR exposing usernames and emails by id
Foundations web engagement: account UI loaded /api/v1/customer?id= without ownership checks; swapping ids disclosed adam84 and j@fakemail.thm plus encoded/hashed ID patterns.
- Case files
- Customer API IDOR exposing usernames and emails by id
Registered customer session; Network tab showed customer?id=; horizontal id swaps returned other users’ PII. Brief covered base64 and MD5-wrapped ids as well.
Authenticated session; id=1 and id=3 disclosed other customers.
Engagement summary
Registered customer session; Network tab showed customer?id=; horizontal id swaps returned other users’ PII. Brief covered base64 and MD5-wrapped ids as well.
IDOR lab demonstrated insecure direct object references end-to-end. After customer registration, Your Account prefilled fields via GET /api/v1/customer?id={self}. Changing id to 1 returned username adam84; id=3 returned email j@fakemail.thm — no server-side ownership check. Supporting material covered Base64-encoded ids, MD5 of integer ids, and dual-account swap testing when ids look unpredictable.
Business impact
Horizontal IDOR on customer APIs is bulk PII theft. Authorize every object against the session subject; prefer opaque non-sequential ids only as defense-in-depth, never as the sole control.
Practical /api/v1/customer IDOR
Authenticated session; id=1 and id=3 disclosed other customers.
OPERATOR · API
# register → login → DevTools Network on /account
savvy@lab:~$ curl -s -b 'session=<cookie>' 'http://target/api/v1/customer?id=50'
{"id":50,"username":"<self>","email":"<self>"}
savvy@lab:~$ curl -s -b 'session=<cookie>' 'http://target/api/v1/customer?id=1'
{"id":1,"username":"adam84",...}
savvy@lab:~$ curl -s -b 'session=<cookie>' 'http://target/api/v1/customer?id=3'
{"id":3,"email":"j@fakemail.thm",...}
NOTE · OBSCURED IDS
idor-patterns.txt
base64(user_id) → decode, mutate, re-encode
md5("123") → crackstation / offline map
unpredictable UUID → still test with two accountsRemediation
Server-side ACL on every customer id. Add automated IDOR tests that swap ids across two sessions. Log cross-tenant access attempts.