Secure Legion Labs
IDOR Progression
IDOR - Extreme
This room simulates a forensic snapshot portal with layered identifiers: tenant, case file, and snapshot token. The system verifies tenant access and case existence, but it trusts snapshot tokens globally and never checks whether the snapshot actually belongs to the authorized case.
What the portal expects
The current responder has access to tenant legion-blue and case CASE-4721. Snapshot tokens look random, but the service trusts them independently once the case gate passes.
- Tenant
?tenant=legion-blue - Case
&caseId=CASE-4721 - Snapshot
&snapshot=SNAP-1A7
What the application gets wrong
The platform validates the tenant and checks that the user can see the requested case. The flaw is that the snapshot lookup happens afterward with no verification that the snapshot belongs to that case inside that tenant.
if (tenantAllowed && caseAllowed(caseId)) {
snapshot = snapshots[token]
return snapshot
}
// missing snapshot.caseId === caseId and snapshot.tenant === tenantLoad a forensic snapshot
Work inside the tenant and case you are allowed to access, then test snapshot tokens to see what leaks through.
GET /api/snapshot?tenant=&caseId=&snapshot={ "status": "idle" }Rendered output
The portal trusts the snapshot token after the outer authorization checks pass. That deeper trust boundary is the vulnerability.
Status: waiting for a snapshot request.
Challenge flag
The flag appears only after you reach the intended foreign snapshot while staying inside an authorized tenant and case context.
Validate completion
Submit the unlocked flag to finish the extreme room.
Flag is locked until you reach the intended foreign snapshot.
How the IDOR happens here
The tenant and case gates succeed for the current user.
The snapshot token is looked up globally instead of within the authorized case.
A foreign snapshot is returned because the deepest object relationship was never enforced.