User Profile Viewer
This page demonstrates an IDOR (Insecure Direct Object Reference) vulnerability. You are logged in as user ID 5, but can view other user profiles by changing the id value in the URL.
Profile Information
User ID: 5
Username: eve_online
Email: eve@example.com
Full Name: Eve Online
Phone: +1-555-0105
Address: 202 Cyber Space Rd, Internet City, IC 56789
Social Security Number: 567-89-0123
Credit Card: 4916-5678-9012-3456
✓ You are viewing your own profile (User ID: 5)
About this vulnerability:
IDOR (Insecure Direct Object Reference) occurs when an application exposes a reference to an internal object (like a database key or filename) without proper authorization checks.
The Problem:
- The application accepts a user ID directly from the URL parameter
- No check is performed to verify if the current user is authorized to view that profile
- Attackers can simply change the ID in the URL to access other users' data
How to fix it:
- Authorization checks: Verify that the authenticated user has permission to access the requested resource
- Obfuscation: Use non-sequential, unguessable identifiers (e.g. UUIDs, ULIDs) instead of sequential integers.