Sign in Subscribe

THM - Advent of Cyber [Day 1]

Alex McCulley

2 min read

Last year I participated in the Advent of Cyber event on TryHackMe. I learned a lot from this event, and  I was happy to see that they are continuing the Advent of Cyber series this year as well. I only have two regrets from last year. The first was that I missed a day last year and broke what was my longest streak on THM. The second was that I didn’t take notes and share what I had learned. So I’m planning on posting (hopefully everyday) on the event, but per the request of THM, I won’t give answers to the rooms.

Web Exploitation (IDOR)

This challenge deals with IDOR (Insecure Direct Object Reference) vulnerabilities. IDOR falls under the category of access control vulnerabilities which gives attackers access to files and actions they shouldn’t. An example of an IDOR vuln would be if an attacker requests resources on a web server that doesn’t properly validate the user’s access to the resource and hands it over anyway.

This task discussed three main IDOR examples: query components, post variables, and cookies. Query components are a part of a web URL that could potentially be associated with user’s personal info. For instance when you see a ?id=23, that could be a potential IDOR, with the number 23 being a unique ID for the user logged in. Post variables are found with forms that submit user input and can have a value associated with specific individual users. An example of a post variable would be a field to change your password. Finally, cookies can store user data and if a developer is careless sometimes changing the cookie can change the user. If you want to look at some cookies that websites use, I’d recommend playing with a Firefox extension called ‘Cookie Editor‘.

The task gives you a website that has misconfigured toy builds, and using IDOR you can change the user account that you’re logged into and help to fix the toys. This task deals with query components and figuring out how to change users based on that method. Here’s a screenshot of the site in the task:

Spot the IDOR

After fixing all the mistakes, you get a flag for you troubles. This room did a really great job of simplifying IDORS and making it easy for anybody to do. Honestly this is such a great room, I may recommend it at my part time job as a break for kids who are coding. Looking forward to tomorrow’s task!

Sign up for more like this.

Enter your email
Subscribe
Follow Me on Mastodon! Follow Me on Twitter