Insecure Direct Object References are what we are trying next, and these are the things that I actually have tried myself before when I was a kid and idly spending time on the net.

When you see your customer number up in the URL and you try changing it and reloading it to see if anything changes. Maybe you’ll get access to someone else’s stuff! This room was just some reading, and only a couple of practical tasks to do so I completed it pretty quickly.

One interesting thing is the use of the developer tools to edit and resend requests to the server. I actually hadn’t really noticed this before, so that was pretty cool to find out. I was using Firefox, but I also checked it out on Chrome and it was similar there as well.

Overall a pretty cool little trick to have a look at – and combined with decoding data from base64 and then re-encoding it to send again, it could be a cool little trick to try.

On to the next room: File Inclusion