Using Burp to Test for Insecure Direct Object References

Access the lab

  1. open Cyclone
    attachments/Pasted image 20250314114805.png

  2. then DO SIGN IN giving password : password and username : cycloneuser-3@cyclonetransfers.com
    attachments/Pasted image 20250314114819.png

  3. click on my bank accounts → intercept on → refresh the website page
    attachments/Pasted image 20250314114839.png

  4. send to intruder
    attachments/Pasted image 20250314114854.png

  5. then add 4
    attachments/Pasted image 20250314114908.png

  6. go to payload sets → payload settings → start attack (edit by looking from the screenshot)
    attachments/Pasted image 20250314114935.png

  7. 304 status is shown
    attachments/Pasted image 20250314114952.png

  8. right click → send to repeater
    attachments/Pasted image 20250314115006.png

  9. go to settings.
    attachments/Pasted image 20250314115027.png

  10. to the page → view page source
    attachments/Pasted image 20250314115048.png

attachments/Pasted image 20250314115059.png

  1. settings → grep extract → add → then edit the following
    attachments/Pasted image 20250314115121.png

  2. go to payloads → start attack again
    attachments/Pasted image 20250314115137.png

  3. you can go and view anyone's data and their account details → show response in browser
    attachments/Pasted image 20250314115203.png

  4. you can open anyone's account and also know the details of anyone through this like i opened abiie christiansen
    attachments/Pasted image 20250314114726.png