easy

Level 8: Server Fingerprinting (No Server Header)

Recon

Challenge Description

The origin hides its Server header. Determine which web server powers this app anyway.

Objective

User profiles are accessed via a ?user=ID parameter. The application doesn't verify if you're authorized to view that profile. Access the admin's secret data.

What you'll learn
  • What IDOR vulnerabilities are
  • Enumerating user IDs
  • Why authorization checks are critical
Need a Hint?
Trigger a server-generated error (e.g., 405 at /probes/methods) to fingerprint behavior.

Try these user IDs:

  • ?user=1 - Regular user
  • ?user=2 - Another regular user
  • ?user=999 - Hmm...

Administrator accounts often use special IDs like 0, 1, 999, 1000, etc.

User Profile Viewer

View user profiles
User not found
User ID:
Your ID: 2
Vulnerable Code
$userId = $_GET['user'];

// VULNERABLE: No authorization check!
$profile = getProfile($userId);

// Should check: if ($profile->userId !== $currentUserId && !isAdmin()) { die(); }

displayProfile($profile);
Always verify the current user has permission to access the requested resource!