Guest login IDOR to admin profile via user parameter
Foundations web engagement: HTML comment leaked guest:guest; profile.php?user= accepted horizontal privilege escalation to the admin profile.
- Case files
- Guest login IDOR to admin profile via user parameter
Guest credentials from a source comment authenticated; swapping the user query parameter exposed another account’s secrets.
guest:guest login; user= parameter IDOR disclosed admin content.
Engagement summary
Guest credentials from a source comment authenticated; swapping the user query parameter exposed another account’s secrets.
NEIGHBOUR exposed SSH and Apache. The login page source contained <!-- use guest:guest credentials until registration is fixed -->. After login, profile.php?user=guest rendered the guest profile. Changing user=admin (or another account name) returned that user’s protected content without a server-side ownership check — classic IDOR.
Business impact
Object references taken from the client without authorization checks leak PII and secrets across tenants. Enforce server-side ownership on every object id; never leave temporary credentials in HTML comments.
Guest foothold and parameter swap
guest:guest login; user= parameter IDOR disclosed admin content.
OPERATOR · WEB
savvy@lab:~$ nmap -sV 10.49.151.21
22/tcp open ssh
80/tcp open http Apache httpd 2.4.53
savvy@lab:~$ curl -s http://10.49.151.21/ | grep -i guest
<!-- use guest:guest credentials until registration is fixed -->
savvy@lab:~$ curl -s -b 'PHPSESSID=<session>' 'http://10.49.151.21/profile.php?user=admin'
# admin profile / secret rendered
Remediation
Map sessions to allowed object ids in the data layer. Remove debug comments from production. Add automated IDOR tests that swap ids across two accounts.