User Profile Viewer
This page demonstrates an IDOR (Insecure Direct Object Reference) vulnerability. You are logged in as user ID 5, but can view other user profiles by changing the id value in the URL.
Profile Information
User ID: 3
Username: charlie_brown
Email: charlie@example.com
Full Name: Charlie Brown
Phone: +1-555-0103
Address: 789 Peanuts Ave, Comic Strip, CS 34567
Social Security Number: 345-67-8901
Credit Card: 3782-3456-7890-1234
⚠️ You are viewing another user's profile! (Your ID: 5)
About this vulnerability:
IDOR (Insecure Direct Object Reference) occurs when an application exposes a reference to an internal object (like a database key or filename) without proper authorization checks.
The Problem:
- The application accepts a user ID directly from the URL parameter
- No check is performed to verify if the current user is authorized to view that profile
- Attackers can simply change the ID in the URL to access other users' data
How to fix it:
- Authorization checks: Verify that the authenticated user has permission to access the requested resource
- Obfuscation: Use non-sequential, unguessable identifiers (e.g. UUIDs, ULIDs) instead of sequential integers.