Webgoat Solution: Guessing and Predicting Patterns (Insecure Direct Object References)

Section A1: Broken Access Control

Sub-section: Insecure Direct Object References.

Module/Lesson 4: Guessing and Predicting Patterns — Viewing Your Own Profile Differently.

To successfully complete this lesson, you must have already completed Lesson 3.

To solve Lesson 4, follow these steps:

1. Return to Lesson 3 and click on “View Profile.” Ensure that you intercept the request.

2. Send the intercepted request to the repeater. As expected, you will be getting the response you got from Lesson 3 earlier, including information such as role, color, size, name, and userId, each with its assigned value. We will be using the userIdvalue. Copy the userId value; for example, mine is 2342384.

3. Examine your request and copy the URL that follows the GET method, which is /WebGoat/IDOR/profile. This is part of our alternate path.

4. Now, go back to Lesson 4: Guessing and Predicting Patterns and clear your answer box. Then, paste the alternate path you copied. In my case, it is /WebGoat/IDOR/profile. Then, add a slash (/) in front of profile and paste the userId you copied. You should have something similar to this: /WebGoat/IDOR/profile/2342384. Click Submit.

That’s how you solve this lesson. I hope you find this content educational. Thank you for reading.