Case file

Auth and crypto failure categories with sequential IDOR revert

Foundations web engagement: mapped unlimited login attempts to Identification and Authentication Failures and cleartext credentials to Cryptographic Failures, then used an IDOR on sequential user objects to locate and revert malicious changes.

Foundations14 minOWASP · IDOR · Authentication · Cryptography
  • Classified two login-surface defects under OWASP categories, then walked sequential user IDs until the tampered account was found and reverted — recovering THM{IDOR_EXPLORED}.

  • Documented OWASP categories, then probed sequential user IDs to revert the malicious change.

01

Engagement summary

Classified two login-surface defects under OWASP categories, then walked sequential user IDs until the tampered account was found and reverted — recovering THM{IDOR_EXPLORED}.

WEB APPLICATION SECURITY framed common web risks in operator language. A login page that accepted unlimited attempts without lockout or backoff maps to Identification and Authentication Failures — credential stuffing and password spraying succeed at machine speed. Username and password sent in cleartext (no TLS) maps to Cryptographic Failures — any on-path observer recovers the session bootstrap secret. The practical lab exposed an object reference pattern: user records addressed by sequential identifiers. Enumerating other users revealed which account had made malicious changes; reverting that object returned THM{IDOR_EXPLORED}. Access to a browser is the only client prerequisite — the defects live in server policy and authorization, not exotic tooling.

Business impact

Authn failures without rate limits turn every public login into an offline-quality password oracle. Cleartext credentials violate baseline compliance and enable trivial session theft. IDOR on sequential IDs is mass data exposure and unauthorized state change — treat object-level authorization as mandatory on every read/write.

02

Category mapping and IDOR revert

Documented OWASP categories, then probed sequential user IDs to revert the malicious change.

RISK MAP

owasp-map.txt

Unlimited login attempts  →  Identification and Authentication Failures
Cleartext username/password →  Cryptographic Failures
Sequential user?id=N        →  Broken Access Control (IDOR)

OPERATOR · IDOR

savvy@lab:~$ for i in $(seq 1 20); do curl -s "http://10.10.10.10/user?id=$i" | grep -i malicious && echo "hit id=$i"; done

hit id=… — malicious changes located

savvy@lab:~$ curl -s -X POST "http://10.10.10.10/user/revert?id=…"

THM{IDOR_EXPLORED}

Remediation

Enforce lockout/backoff and MFA on public auth. Mandate TLS everywhere; never accept passwords over HTTP. Authorize every object ID against the session principal; prefer opaque IDs; log and alert on sequential ID enumeration patterns.