IDORable Bistro⚓︎
Difficulty:
Direct link: IDORable Bistro
Area: Sasabune
In-game avatar: Josh Wright
Hints⚓︎
QR Codes
I have been seeing a lot of receipts lying around with some kind of QR code on them. I am pretty sure they are for Duke Dosis's Holiday Bistro. Interesting...see you if you can find one and see what they are all about...
Will the Real ID Please...
Sometimes...developers put in a lot of effort to anonymyze information by using randomly generated identifiers...but...there are also times where the "real" ID is used in a separate Network request...
What's For Lunch?
I had tried to scan one of the QR codes and it took me to somebody's meal receipt! I am afraid somebody could look up anyone's meal if they have the correct ID...in the correct place.
Item⚓︎
We get a receipt outside the Sarabune bistro.
Objective⚓︎
Request
Josh has a tasty IDOR treat for you—stop by Sasabune for a bite of vulnerability.
What is the name of the gnome?
Josh Wright
I need your help with something urgent.
A gnome came through Sasabune today, poorly disguising itself as human - apparently asking for frozen sushi, which is almost as terrible as that fusion disaster I had to endure that one time.
Based on my previous work finding IDOR bugs in restaurant payment systems, I suspect we can exploit a similar vulnerability here.
I was...at a talk recently...and learned some interesting things about some of these payment systems.
Let's use that receipt to dig deeper and unmask this gnome's true identity.
High-Level Steps⚓︎
- Discover – Identify receipt endpoints from the QR code.
- Test – Enumerate receipt IDs to confirm an IDOR vulnerability.
- Extract – Retrieve the target receipt and identify the gnome.
flowchart TD
subgraph Row1["Discover"]
direction LR
A[Scan QR code]
B[Identify receipt endpoint]
A --> B
end
subgraph Row2["Test"]
direction LR
C[Modify receipt ID parameter]
D[Enumerate receipt IDs]
C --> D
end
subgraph Row3["Extract"]
direction LR
E[Locate matching receipt]
F[Identify gnome name]
G[Objective completed]
E --> F --> G
end
Row1 --> Row2
Row2 --> Row3Solution⚓︎
Scanning the QR code has below
https://its-idorable.holidayhackchallenge.com/receipt/i9j0k1l2
Browsing the above URL reveals the below API
https://its-idorable.holidayhackchallenge.com/api/receipt?id=103
Just going to the API URL shows the API output in JSON format.
Changing to a different receipt ID shows different output which proves the API has IDOR vulnerability.
https://its-idorable.holidayhackchallenge.com/api/receipt?id=104
Trying to fuzz the API url with the receipt id from 1 - 200 for "frozen" in the API response and we get a hit.
Below fuzzes the URL id from 1 to 200 looking for "frozen" in the part of response (because the hint notes that the gnome asked for the "frozen" sushi).
seq 1 200 | ffuf -w - -u "https://its-idorable.holidayhackchallenge.com/api/receipt?id=FUZZ" -mr "frozen"
We get a hit for receipt id 139.
Manually looking at the API response for receipt id 139.
https://its-idorable.holidayhackchallenge.com/api/receipt?id=139
We have the name : Bartholomew Quibblefrost
Answer
Bartholomew Quibblefrost
Response⚓︎
Josh Wright
Excellent work!
You've demonstrated textbook penetration testing skills across every challenge - your discipline and methodology are impeccable!.
Learnings⚓︎
- This was my first challenge of using QA code hiding identifiers but Its still same old IDOR vulnerability in the API.
Prevention & Hardening Notes⚓︎
- QR code or not, enforce authorization checks on every object request server-side, ensuring users can only access resources they are explicitly permitted to view.
- Don't use predictable or sequential identifiers in APIs.