Auth and crypto failure categories with sequential IDOR revert
Foundations web engagement: mapped unlimited login attempts to Identification and Authentication Failures and cleartext credentials to Cryptographic Failures, then used an IDOR on sequential user objects to locate and revert malicious changes.
- Case files
- Auth and crypto failure categories with sequential IDOR revert
Classified two login-surface defects under OWASP categories, then walked sequential user IDs until the tampered account was found and reverted — recovering THM{IDOR_EXPLORED}.
Documented OWASP categories, then probed sequential user IDs to revert the malicious change.
Engagement summary
Classified two login-surface defects under OWASP categories, then walked sequential user IDs until the tampered account was found and reverted — recovering THM{IDOR_EXPLORED}.
WEB APPLICATION SECURITY framed common web risks in operator language. A login page that accepted unlimited attempts without lockout or backoff maps to Identification and Authentication Failures — credential stuffing and password spraying succeed at machine speed. Username and password sent in cleartext (no TLS) maps to Cryptographic Failures — any on-path observer recovers the session bootstrap secret. The practical lab exposed an object reference pattern: user records addressed by sequential identifiers. Enumerating other users revealed which account had made malicious changes; reverting that object returned THM{IDOR_EXPLORED}. Access to a browser is the only client prerequisite — the defects live in server policy and authorization, not exotic tooling.
Business impact
Authn failures without rate limits turn every public login into an offline-quality password oracle. Cleartext credentials violate baseline compliance and enable trivial session theft. IDOR on sequential IDs is mass data exposure and unauthorized state change — treat object-level authorization as mandatory on every read/write.
Category mapping and IDOR revert
Documented OWASP categories, then probed sequential user IDs to revert the malicious change.
RISK MAP
owasp-map.txt
Unlimited login attempts → Identification and Authentication Failures
Cleartext username/password → Cryptographic Failures
Sequential user?id=N → Broken Access Control (IDOR)OPERATOR · IDOR
savvy@lab:~$ for i in $(seq 1 20); do curl -s "http://10.10.10.10/user?id=$i" | grep -i malicious && echo "hit id=$i"; done
hit id=… — malicious changes located
savvy@lab:~$ curl -s -X POST "http://10.10.10.10/user/revert?id=…"
THM{IDOR_EXPLORED}
Remediation
Enforce lockout/backoff and MFA on public auth. Mandate TLS everywhere; never accept passwords over HTTP. Authorize every object ID against the session principal; prefer opaque IDs; log and alert on sequential ID enumeration patterns.