Remittance
InvoiceVault lets freelancers manage invoices and export their account data. A convenience field in the export API trusts the client a little too much.
The Scenario
InvoiceVault is a six-person SaaS shop that's grown to around four thousand freelancer accounts since 2020 — $9/mo, simple invoice CRUD, one feature a quarter. The new account-export endpoint was scaffolded out of an internal admin tool during a frantic week before a customer data-portability deadline. The engineer who wrote it filed a follow-up ticket the same afternoon; it's been sitting at the bottom of the backlog ever since.
Challenge Intel
Synopsis
An export API trusts a user_id parameter in the POST body instead of reading it from the session.
What It Is
InvoiceVault's /api/account/export endpoint accepts a JSON body with a user_id field. It was added during an admin-tooling sprint and never gated by session validation. Any authenticated user can request another user's account ZIP by setting user_id to a different value. The flag is embedded in the notes column of another user's exported invoice CSV.
Who It's For
Testers who are comfortable intercepting HTTP requests and want a clean, confidence-building first IDOR.
Skills You'll Practice
- Identifying IDOR in JSON API request bodies
- Intercepting and modifying POST payloads
- Reading exported data formats (CSV in ZIP)
What You'll Gain
- Understanding how bulk-export endpoints become IDOR vectors
- Recognising when client-supplied identifiers bypass server-side ownership checks
- Pattern recognition for leftover admin parameters in production APIs