User Profile Viewer
This page demonstrates an IDOR (Insecure Direct Object Reference) vulnerability. You are logged in as user ID 5, but can view other user profiles by changing the id value in the URL.
User not found.
About this vulnerability:
IDOR (Insecure Direct Object Reference) occurs when an application exposes a reference to an internal object (like a database key or filename) without proper authorization checks.
The Problem:
- The application accepts a user ID directly from the URL parameter
- No check is performed to verify if the current user is authorized to view that profile
- Attackers can simply change the ID in the URL to access other users' data
How to fix it:
- Authorization checks: Verify that the authenticated user has permission to access the requested resource
- Obfuscation: Use non-sequential, unguessable identifiers (e.g. UUIDs, ULIDs) instead of sequential integers.