Broken Access Control

Insecure Direct Object Reference (IDOR) • Beginner

AuthorizationHTTP
Secure Mode• show fix Session• Cookie Recruiter• Mode

Objective: Access another user's private account data.

Try: Modify the user identifier in the request.

👤 Design: Compare identity boundaries. You vs the requested object.
Everything here is simulated and sandboxed to this site—no real accounts, no real services.
Demo How it works Issue Exploit Fix Video

1) Demo

Here is the feature “working” as implemented in this mode.

App Output
Session (You)

Name: Alex Morgan

Role: Free

Email: alex@music.app

Balance: $12.04

Requested (Target)

Name: Alex Morgan

Role: Free

Email: alex@music.app

Balance: $12.04

Server chose user: 1 (from URL parameter)

Why this feels real: you didn’t “hack” anything — you just asked for a different object.
Response
Status: 200 OK Response Headers: (none)

2) How the code works

This section shows the mental model: what the server is “thinking”.

const userId = request.query.user; return db.getUser(userId);

3) The issue

The app trusts a user-controlled identifier (the URL) to choose which account to return.

Real-world impact: Real IDOR bugs leak private data (profiles, orders, invoices) and can become full account takeover.

4) Exploit it

Edit the raw request below. You can change method, path/query, headers, and body. Then send it. The server will parse what you typed and re-run the simulation.

Request Editor
Tip: For secure mode tests, add a cookie like: Cookie: session=1; role=Admin
Parsed View (what the server read)
method: GET path: /account?user=1 headers: host: kylerburke.dev body: (empty)

Exploit Editor Hidden (Recruiter Mode)

This mode is designed for sharing your portfolio. It focuses on clear explanation, real-world impact, and fixes—without interactive exploitation.

Want to demo the exploit? Turn Recruiter Mode off and use the Request Editor.

5) Fix

Secure Mode shows the fix behavior. Flip modes and send the same request.

Never derive identity from client input. Use server-side session state and enforce authorization checks.

Video

Short visual explanation to match what you just did.

Swap the YouTube ID in the Worker to pick a different explainer video for this vulnerability.