BugForge - Daily - Copy Pasta

4 min read
#IDOR #Broken Access Control
Part of the Copy Pasta series (5 posts) →

Daily - Copy Pasta

Vulnerabilities Covered

IDOR (Insecure Direct Object Reference)

Summary

The CopyPasta application allows users to create and share code snippets with options to make them public or private. The snippet retrieval endpoint (/api/snippets/:id) uses sequential integer identifiers without proper authorization checks, allowing any authenticated user to enumerate IDs and access private snippets belonging to other users. By iterating through snippet IDs using Caido Replay, private snippets containing sensitive data including the challenge flag can be retrieved, demonstrating a classic IDOR vulnerability on the read operation.

Reference

1

Initial Reconnaissance

Before signing up, examine the login page source code for any developer comments or hidden information. While this challenge did not reveal anything in the source, always check for horizontal scrolling as CTFs sometimes hide clues off-screen.

Attempt basic SQL injection on the login form using payloads such as admin' OR 1=1;-- -. The application returns a generic “Invalid credentials” message, indicating that username enumeration via error messages is not possible.

2

Account Registration and Traffic Analysis

Register a new user account while capturing traffic in Caido. The goal is to determine whether the client is sending role or permission fields to the backend during registration, and whether the endpoint is vulnerable to Mass Assignment.

Register Request

3

Application Mapping

Dashboard After logging in, explore the application functionality:

  • Account Management : Update Account and attempt account deletion
  • My Snippets / Dashboard: Create and manage personal code snippets
  • Public: View publicly shared snippets from all users with search and language filter options
  • Create Snippet: Form with title, language, code content, and visibility toggle (public/private)

Create a test snippet and observe the response. Note the id field (sequential integer) and share_code field (long token string) returned in the response.

4

Identifying the IDOR Vector

When viewing a public snippet, observe that the URL follows the pattern /snippet/:id and the API endpoint is /api/snippets/:id.

GET Snippet Request

Key observations:

  • The public dashboard shows 6 snippets
  • When creating your own snippet, the returned id value suggests there are more snippets than publicly visible (e.g., id of 8 indicates snippets 1-7 already exist)
  • This discrepancy suggests some snippets are private and potentially accessible via direct ID reference
5

Exploiting the IDOR Vulnerability

Send the GET request for /api/snippets/1 to Caido Replay. Configure the attack:

  • Set the snippet ID as the payload position
  • Use a numeric payload list (e.g., 1-50)
  • Remove the If-None-Match header if present to avoid 304 responses

Automate Configuration

Launch the attack and analyse the responses. Filter results by response length or status code to identify unique snippets.

6

Flag Retrieval

Review the Replay results to identify snippets that are not visible in the public dashboard. One of the private snippets contains the flag in the response body.

The flag follows the format bug{FLAG} and can be found by:

  • Comparing Replay results against the public snippet list
  • Searching response bodies for the flag format
  • Identifying snippets where public: 0 indicates private status

Flag

Impact
  • Unauthorized access to private snippets belonging to other users
  • Exposure of potentially sensitive code or data stored in private snippets
  • Complete bypass of intended access control boundaries
Vulnerability Classification
  • OWASP Top 10: Broken Access Control
  • Vulnerability Type: Insecure Direct Object Reference (IDOR)
  • Attack Surface: Snippet retrieval endpoint (/api/snippets/:id)
  • CWE: CWE-639 - Authorization Bypass Through User-Controlled Key
Root Cause

The backend does not verify snippet ownership or visibility permissions when processing GET requests for individual snippets. The application relies solely on user-supplied identifiers without performing authorization checks to ensure the requesting user has permission to view the resource.

Remediation
  • Implement server-side authorization checks to verify that the authenticated user owns the snippet or the snippet is marked as public before returning its contents
  • Consider using non-sequential identifiers such as UUIDs to make enumeration more difficult (though this is defense-in-depth, not a substitute for proper authorization)
  • Apply consistent access control checks across all snippet-related endpoints (view, update, delete)
  • Log and monitor for unusual patterns of sequential ID access that may indicate enumeration attempts
Zw4rts

© 2026 Zw4rts. All rights reserved.

GitHub