Dashboard/Broken Access Control/IDOR in Profile API

IDOR in Profile API

Hard

#idor

#owasp-a01

#api

Overview

This lab demonstrates a classic IDOR vulnerability where the API endpoint uses sequential user IDs without proper authorization checks. You will learn to identify and exploit this flaw, then implement the secure version.

Scenario

You are authenticated as user ID 42. The application exposes a profile endpoint at `/api/users/:id`. The endpoint returns user profile data including email, phone, and address. There are no authorization checks beyond authentication.

Exploit Steps

01Authenticate as your user (ID: 42) and observe the profile request
02Note the API endpoint: GET /api/users/42
03Modify the user ID parameter to another value: GET /api/users/1
04Observe that the API returns the admin user's full profile data
05Enumerate additional user IDs to extract bulk user data

routes/users.js

// Vulnerable endpoint — no authorization check
app.get('/api/users/:id', authenticate, (req, res) => {
  const userId = req.params.id;
  
  // ❌ No check: does req.user.id === userId?
  const user = db.query(
    'SELECT id, name, email, phone, address FROM users WHERE id = ?',
    [userId]
  );
  
  res.json(user);
});

This code contains a known vulnerability. Never deploy code like this in production. Use the Secure Mode toggle to see the remediation.