Gift List

This is my very first and my very own lab featured on BugForge!

After clicking through this site, you might notice that when you hit share list, you get a very cool, yet very familiar share link.

A Base64 encoding is always worth decoding!

In BurpSuite, you'll find that the decoded string is listWithId-<id>

IDOR rules dictate that this is a very predictable ID and it should be tested to see if we can directly access other lists without them being shared with us. So we Base64 encode listWithId-1 and try to access that list.

The payload bGlzdFdpdGhJZC0x is placed at the end of the share link

And just like that, we get our flag 🇧🇪

This was such a honor being featured on a platform like BugForge! I hope you enjoyed it as much as I enjoyed building it.