Task 1 What is an IDOR?
What does IDOR stand for?
From our reading we know that IDOR is a Insecure Direct Object Reference
Task 2 An IDOR Example
What is the Flag from the IDOR example website? To get this we first need to open the site. Next we can poke around. And if we click on order we can see the order is 1234 and if we change that to 1000 we get the flag.
Task 3 Finding IDORs in Encoded IDs
What is a common type of encoding used by websites? From our reading we know that it is base64 encoding
![]()
Task 4 Finding IDORs in Hashed IDs
What is a common algorithm used for hashing IDs? From our reading we know md5 is commonly used.
Task 5 Finding IDORs in Unpredictable IDs
What is the minimum number of accounts you need to create to check for IDORs between accounts? You need 2 accounts to check if using the account id from either one allows access to the other.
Task 6 Where are IDORs located
Task 7 A Practical IDOR Example First we need to start our machine and then navigate to the lab page and create and account. What is the username for user id 1? Now if we look at the developer tools we can navigate to the network tab refresh and we can see that customer?id=15. If we click on it we get directed to a page that url is https://10-10-67-209.p.thmlabs.com/api/v1/customer?id=15 Now that we know how there are referncing the id we can change the 15 to 1 and we get our first flag. What is the email address for user id 3? Again using the above method we can get the user email of j@fakemail.thm
R3ap3rd0g 