Vulnerability A4 Insecure Direct Object References Description:



For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.

This time we are presented with a web page that has 3 links, ‘Bio’, ‘Clients’ and ‘About’. Each link embeds a text file into the page, ‘file1.txt’, ‘file2.txt’ and ‘file3.txt’ respectively. The url parameter is ‘file’ with one of the txt filenames as argument.

Lets try substituting the inserted text file with an php file located in by using the following url

Unfortunately, we hit a filter.


We can bypass it by using some capital characters in the ‘http’ keyword like so

It looks like the filter was not case-insensitive and we were able to bypass it however, now it doesn’t like the file extension.


One trick to circumvent this is to insert a null byte (%00 url encoded), but this time it did not work. After some trial and error I saw the second Hint stating that there’s a regular-expression restriction, so I changed the filename from index.php to ‘file1.txt’ with ‘.php’ extension to successfully complete the level.


If I have to guess, their regular-expression restriction could be looking for the 3 ‘permitted’ filenames, ‘file1.txt’, ‘file2.txt’ and ‘file3.txt’ when loading a file into the page.