Secure Legion Labs
IDOR Progression
IDOR - Hard
This room simulates a document export portal where the user selects a workspace and a report reference. The application verifies membership in the workspace but trusts the report reference independently, which leaks files from other workspaces inside the same organization.
What the portal trusts
The current analyst has access to the apollo workspace. The report export feature trusts the report reference as long as the user stays inside a workspace they already belong to.
- Workspace
?workspace=apollo - Report
&reportRef=RPT-A11 - Goal
Expose a foreign export
What the application gets wrong
The application validates workspace access but stops too early. It forgets to ensure the report being requested belongs to the same workspace that was authorized.
if (memberOf(workspace)) {
report = reports[reportRef]
return report
}
// missing report.workspace === workspaceExport a report
Stay inside the workspace you legitimately control, then experiment with report references.
GET /api/report?workspace=&reportRef={ "status": "idle" }Rendered output
The export preview returns the report whenever the workspace is authorized and the reference exists. The missing check is the relationship between the authorized workspace and the actual report owner.
Status: waiting for a report request.
Challenge flag
The flag appears after you pull the intended foreign report into the workspace you already control.
Validate completion
Submit the unlocked flag to finish the hard room.
Flag is locked until you reach the foreign target report.
How the IDOR happens here
The app confirms the user belongs to one workspace.
It loads the report object independently from the workspace authorization.
A foreign report reference slips through because the app never binds it back to the authorized workspace.