Post

BugForge - Daily - Gift Lab (Repeat)

Posted
Preview Image
By Zwarts
1 min read
BugForge - Daily - Gift Lab (Repeat)

Daily - Gift Lab (Repeat)

This is a repeat of the daily challenge from February 19th, 2026.

Vulnerability Overview

The Gift Lab application contains an Insecure Direct Object Reference (IDOR) vulnerability in its list sharing functionality. The application generates share links by base64 encoding an identifier string (e.g., listWithId-2), a reversible encoding that provides no security guarantee. By decoding the share link, modifying the list identifier to reference another user’s list (e.g., listWithId-1), and using the manipulated value, an attacker can gain unauthorized read access to any user’s wish list. The server performs no ownership or authorization check when resolving the shared list identifier, meaning the base64 encoding acts as a false sense of obscurity rather than a true access control mechanism.

Key Issues:

  • The server resolves shared list identifiers without verifying ownership or authorization
  • Base64 encoding of predictable, sequential list identifiers provides no security - it is trivially reversible
  • Any authenticated user can enumerate and access other users’ private wish lists by manipulating the encoded token

Vulnerabilities Covered

  • IDOR (Insecure Direct Object Reference) via base64-encoded share tokens

Classification

  • OWASP Top 10: A01:2021 - Broken Access Control
  • Vulnerability Type: Insecure Direct Object Reference (IDOR)
  • Attack Surface: List share endpoint, base64-encoded list identifier parameter
  • CWE: CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE: CWE-284 - Improper Access Control
BugForge, daily, gift-lab
broken-access-control idor
This post is licensed under CC BY 4.0 by the author.