Secure Legion Labs
Labs / IDOR / Medium

IDOR Progression

IDOR - Medium

This room moves beyond a single object ID. The portal asks for both a customer and an invoice reference, but it only validates that each object exists. It never checks whether the invoice actually belongs to the requesting customer.

ObjectiveRetrieve another customer's invoiceMix object references to pull an invoice outside the current account scope.
DifficultyMediumTwo parameters, believable data model, and a missing relationship check.
FlagUnlock on cross-customer accessThe flag appears when the wrong customer sees the target invoice.
Request Model

How the invoice is selected

The current customer session is CUST-1001. Try requesting invoices with different references and think about what should happen if the object relationships were enforced correctly.

  • Customer?customer=CUST-1001
  • Invoice&invoice=INV-2101
  • GoalExpose an ownership mismatch
Hint: When two identifiers are accepted together, test whether the application validates the relationship between them or only checks each one separately.
Access Logic

What the application gets wrong

The endpoint treats customer lookup and invoice lookup as separate checks. The missing link is the ownership relationship between those two records.

customer = customers[id]
invoice = invoices[ref]
if (customer && invoice) { return invoice }
// missing invoice.customerId === customer.id
Request Console

Load an invoice

Try different customer and invoice combinations to observe what the application returns.

Current request: GET /api/invoice?customer=&invoice=
{ "status": "idle" }
Invoice preview
Invoice Viewer

Rendered output

The portal renders the invoice whenever the objects exist. The bug is the missing relationship validation between the customer and the invoice.

No invoice loaded.

Status: waiting for an invoice request.

Flag Unlock

Challenge flag

The flag appears after the current customer can see the target invoice that belongs to another account.

Flag:
Submit Flag

Validate completion

Submit the unlocked flag to finish the medium room.

Flag is locked until you retrieve the target invoice.

Execution Path

How the IDOR happens here

1. Accept two references

The endpoint trusts both a customer ID and an invoice reference from the request.

2. Load objects separately

It verifies existence but not the relationship between them.

3. Return mismatched data

An attacker can pair the victim invoice with their own customer context and still receive the data.