Example - IDOR, try it!

  1. Register 2 accounts (user A and user B)

    2. On the user A:

  2. Press on the first link "Continue reading..."
  3. Notice the URL format
  4. Press on any other link
  5. Notice the number in URL is changing
  6. Press on the second link "Delete"
  7. Remember the URL format and request method

    8. On the user B:

  8. Press on the first link "Continue reading..."
  9. Change the username to user A in URL
  10. Notice that we cannot read the jokes
  11. Open Developer tools
  12. Paste the following code to console, but change user to user A and id to 1 or 2:

    fetch("/idor-workshop-practice-2/delete/user/id", { method: 'DELETE', }) .then(response => response.text()) .then(text => console.log(text))

  13. Notice that we deteled other user's joke
  14. You can return to user A session and check that the joke is gone
  15. Well done!

To work with you jokes you need to create account

Username:

Password: