ClearDesk
Can you exploit the broken access controls?
ClearDesk's IT helpdesk API authenticates every request, but does it authorize them? The ticket endpoint checks who you are but not what you're allowed to see. Enumerate resources you shouldn't access, chain credential theft with privilege escalation, and exploit a file-reading feature to reach the root flag.
jeancharlie81
root
jeancharlie81
user
kcortxx
root
kcortxx
user
Slander1350
root
Slander1350
user
Gh0s1h
root
Gh0s1h
user
iswhoandy
user
Varythor
root
Varythor
user
LokiLu
root
LokiLu
user
Casi80
user
Casi80
root
IDOR vulnerability (Insecure Direct Object Reference) is a critical access control flaw that occurs when a web application exposes internal object references - such as database IDs, filenames, or resource identifiers - without verifying that the requesting user is authorized to access them. IDOR is one of the most commonly discovered vulnerabilities in web applications and APIs, frequently appearing in bug bounty programs and penetration testing engagements.
How IDOR Vulnerabilities Work
Applications that use predictable identifiers (like sequential integers) in their URLs or API endpoints are particularly susceptible to IDOR attacks. For example, if accessing /api/tickets/15 returns your support ticket, changing the ID to /api/tickets/16 might return another user's ticket if the server does not verify ownership. The key distinction is between authentication (verifying who you are) and authorization (verifying what you can access). Many applications implement authentication correctly but fail at authorization, creating IDOR vulnerabilities that allow horizontal privilege escalation.
IDOR in REST APIs
REST APIs are especially prone to IDOR because they commonly expose resource identifiers directly in URL paths. API endpoints for CRUD operations on user data, documents, orders, or tickets often use sequential or predictable IDs. When combined with automated enumeration tools, an attacker can systematically access every resource in the system, extracting sensitive data belonging to all users. In more severe cases, IDOR can be chained with other vulnerabilities - such as credential theft or path traversal - to escalate from data disclosure to full system compromise.
Preventing IDOR Vulnerabilities
Effective prevention requires implementing proper authorization checks on every request to verify that the authenticated user has permission to access the requested resource. Using non-predictable identifiers (like UUIDs instead of sequential integers) adds defense in depth but should not be relied upon as the sole protection. Server-side access control logic, combined with thorough security testing that includes parameter manipulation and resource enumeration, is essential for identifying and preventing IDOR flaws in web applications.
What You Will Learn
- Understand Insecure Direct Object Reference (IDOR) vulnerabilities in REST APIs
- Learn the difference between authentication and authorization in access control
- Practice exploiting sequential IDs for resource enumeration
- Chain IDOR with credential theft for privilege escalation
- Exploit path traversal vulnerabilities in file-reading features
- Recognize defensive measures against IDOR attacks
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
Launch your dedicated machine to begin hacking
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free
