Course

This lab demonstrates an Insecure Direct Object Reference (IDOR) vulnerability, a common issue in web applications where user authentication is not properly verified. Initially, you log in using the provided credentials (user1 with the password "pentesterlab"). Once logged in, you can navigate the application by incrementing the ID in the URL (e.g., /infos/1, /infos/2). This allows you to access sensitive information from other users due to missing authorization checks.

The video walkthrough provides a detailed code review of the exercise, explaining how the Rails application is set up and where the vulnerability lies. Specifically, the code does not verify that the current user owns the information they are trying to access, allowing any authenticated user to view any information by manipulating the URL. The goal of this challenge is to identify and exploit this flaw to gain access to other users' data.