Web Security Lab

IDOR Hunter

Insecure Direct Object Reference Security Analysis

Overall Progress0%

Educational Purpose Only — Practice only on systems you own or have explicit written permission to test.

Level 1:Profile Peeking

Easy

This user profile page uses a numeric ID in the URL to display user information. The server trusts the ID without verifying ownership.

Access the admin user's profile by manipulating the user ID parameter.

You are logged in as "guest" (user_id=1). The profile URL is /profile?id=1. Can you view admin's profile?

secresearchlab.web.app/profile?id=