User Profile Viewer
This page demonstrates an IDOR (Insecure Direct Object Reference) vulnerability. You are logged in as user ID 5, but can view other user profiles by changing the id value in the URL.
Profile Information
User ID: 6
Username: frank_castle
Email: frank@example.com
Full Name: Frank Castle
Phone: +1-555-0106
Address: 303 Punishment Way, Justice Town, JT 67890
Social Security Number: 678-90-1234
Credit Card: 5520-6789-0123-4567
⚠️ You are viewing another user's profile! (Your ID: 5)
About this vulnerability:
IDOR (Insecure Direct Object Reference) occurs when an application exposes a reference to an internal object (like a database key or filename) without proper authorization checks.
The Problem:
- The application accepts a user ID directly from the URL parameter
- No check is performed to verify if the current user is authorized to view that profile
- Attackers can simply change the ID in the URL to access other users' data
How to fix it:
- Authorization checks: Verify that the authenticated user has permission to access the requested resource
- Obfuscation: Use non-sequential, unguessable identifiers (e.g. UUIDs, ULIDs) instead of sequential integers.