Written by Simon

Walkthrough for the TryHackMe IDOR Room

The TryHackME IDOR room is a subscriber only room available at https://tryhackme.com/room/idor. In this room, you will learn the basics of Insecure Direct Object Reference, better known as IDOR’s.

Question 1: What does IDOR Stand for?

Answer 1: Insecure Direct Object Reference

Question 2

Start by click on the View Site button. You will see a list of emails in the THM Email Client.

Select the orders@onlinestore.thm email and then click the link.

In the new address bar, change the /1234/invoice to /1000/invoice. The browser will then show the Flag.

Question 3: What is a common type of encoding used by websites?

Answer 3: Look for the decode website in the text.

Question 4: What is a common algorithm used for hashing IDs?

Answer 4: It is a weak hashing alogorithm beginning with the letter m

Question 5: What is the minimum number of accounts you need to create to check for IDORs between accounts.

Answer 5: One less than three 🙂

Start the machine and then you can use either your own machine or the THM hackbox. For this example, open up Firefox although you are free to use the browser of your choice

  1. Open the site, the URL/IP address will be different each time you start the machine
  2. Click on the Customers Link at the Top
  3. Click on the Signup here Link at the top
  4. Use whatever login and password you want. I will be using Test for the username, test@test.com for the email address and test123 as the password.
  5. Go to the Your Account Page.
  6. Now open the Web Developer Tools (I just use F12)
  7. Go to the network tab and refresh the page (I just use F5 to refresh)
  8. Scroll down, you are looking for an HTTP 200 Status Code. And it should say customer?id=15 (The number will change)
  9. Right click on that line and select Edit and Resend
  10. Change the ?id=15 to ?id=1 and then click on the blue Send button. Then double click on the that to show the secret username
  11. Change the ?id=1 to ?id=3 and then click on the blue Send button. Then double click on the that to show the secret username.

Congratulations, you have now finished the TryHackMe IDOR Room. Now on to the next room!