Insecure direct object references
This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs.
Reproduction and proof of concept
Select the Live chat tab.
Send a message and then select View transcript.
Review the URL and observe that the transcripts are text files assigned a filename containing an incrementing number.
Change the filename to
1.txtand review the text. Notice a password within the chat transcript.
Return to the main lab page and log in using the stolen credentials.
An attacker will need to find the password for the user
carlos, and log into their account.