[Day 14] Web Applications

December 14, 2022

Today I am reviewing OWASP's top 10 vulnerabilities and specifically the IDOR vulnerability. First I log into the web application with the given credentials.

Next, I increment the values in the URL.

Once I find that flag I inspect the webpage and find an /images directory. I paste that information into the browser and increment/decrement the values in the URL. I am then granted the flag for this challenge.

Here is my sad drawing that illustrates the IDOR vulnerability being used in different folders from the web application. Since we cannot retrieve the flag from the same directory, we have another known directories /images found from inspecting the webpage.

Flags

What is the office number of Elf Pivot McRed?

134

Not only profile pages but also stored images are vulnerable. Start with a URL of a valid profile image; what is the hidden flag?

THM{CLOSE_THE_DOOR}

Last updated