User Profile Viewer
This page demonstrates an IDOR (Insecure Direct Object Reference) vulnerability. You are logged in as user ID 5, but can view other user profiles by changing the id value in the URL.
Profile Information
User ID: 1
Username: alice_wonder
Email: alice@example.com
Full Name: Alice Wonderland
Phone: +1-555-0101
Address: 123 Rabbit Hole Lane, Wonderland, WL 12345
Social Security Number: 123-45-6789
Credit Card: 4532-1234-5678-9010
⚠️ You are viewing another user's profile! (Your ID: 5)
About this vulnerability:
IDOR (Insecure Direct Object Reference) occurs when an application exposes a reference to an internal object (like a database key or filename) without proper authorization checks.
The Problem:
- The application accepts a user ID directly from the URL parameter
- No check is performed to verify if the current user is authorized to view that profile
- Attackers can simply change the ID in the URL to access other users' data
How to fix it:
- Authorization checks: Verify that the authenticated user has permission to access the requested resource
- Obfuscation: Use non-sequential, unguessable identifiers (e.g. UUIDs, ULIDs) instead of sequential integers.