IDORable Bistro

Difficulty:
Direct link: IDORable Bistro

Objective

Request

Josh has a tasty IDOR treat for you—stop by Sasabune for a bite of vulnerability. What is the name of the gnome?

Josh Wright

Solution

Josh asked me to exploit the IDOR (Insecure Direct Object Reference) vulnerability of the Sasabune payment system to uncover a gnome's true identity. Josh provided this link on a presentation about IDOR: IDOR presentation

I was provided the receipt of another client and was asked to find the receipt of the gnome.

As visible on the receipt, there is a QR code that clients can scan to pay.

After scanning the QR code, I was sent to this website listing the customer name, receipt number, and items bought.

I looked through the source code of the website through the dev tool of my browser and noticed the endpoint used to retrieve the receipt. The endpoint only uses the ticket number, which means that I can get any customer information by putting random numbers as the ID of the endpoint.

Appending the endpoint with the found receipt id gave me the information that was displayed on the website.

After going through the receipts one by one (obviously not the best option; a script would have been better), I finally found a receipt with a note about 'Frozen Roll' which matched a request of the gnome.

After submitting the name of this customer, the objective was added to the achievements list.

Answer

Bartholomew Quibblefrost

Response

Josh Wright

Oh, you found that receipt? Perfect!
Did you see that receipt outside the door?
Excellent work exploiting that IDOR vulnerability textbook execution.
Now we know exactly which gnome tried to pass itself off as a sushi connoisseur. Frozen rolls... honestly, what's next?