Secure Legion Labs
Labs / IDOR / IDOR

Broken Access Control Lab

IDOR - Easy

This challenge simulates a portal that trusts object identifiers coming from the request. The application shows account data based only on the object ID, without verifying whether the logged-in user should actually see it.

Objective Access another user's record Change the object reference and retrieve data you should not be able to view.
Difficulty Easy Simple request tampering designed to introduce the IDOR concept cleanly.
Flag Unlock on unauthorized access The flag appears when you reach a sensitive record that belongs to someone else.
Request Model

How the object is selected

The page reads an ?account= value and uses it to fetch a record. The current session belongs to one user, but the request handler does not restrict which object ID can be loaded.

  • Session User1001
  • Parameter?account=1001
  • GoalConfirm unauthorized object access
Hint: When access control is object-based, small identifier changes are often more valuable than complex payloads.
Access Logic

What the application gets wrong

The app checks whether a record exists and then renders it. The broken step is that it never verifies whether the logged-in user actually owns that record before returning the data.

record = accounts[accountId]
if (record) { return record }
// missing ownership validation
Request Console

Load an account

Use the internal console to request different account objects and watch how the portal responds.

Current request: GET /api/account?account=
{ "status": "idle" }
Sensitive data preview
Record Viewer

Account output

The portal renders account information whenever a matching record exists. The bug is that it trusts the object reference instead of validating access rights.

No record loaded.

Status: waiting for a record request.

Flag Unlock

Challenge flag

The flag appears after you access a record outside the current user's account scope.

Flag:
Submit Flag

Validate completion

Submit the exact unlocked flag to finish the IDOR room.

Flag is locked until you access an unauthorized record.

Execution Path

How the IDOR happens here

1. Read object ID

The application takes an account identifier directly from the request.

2. Load record

The backend finds the object and prepares it for rendering.

3. Skip authorization

No ownership validation runs before the response is shown to the user.