This is a deliberately vulnerable web application that simulates a custodial cryptocurrency exchange with an IDOR (Insecure Direct Object Reference) vulnerability. It's designed for educational purposes to demonstrate how IDOR vulnerabilities can be exploited.

This application has a critical IDOR vulnerability in the fund transfer functionality. The vulnerability allows an attacker to:

1. Log in as a legitimate user
2. Initiate a fund transfer request
3. Intercept and modify the request to change the sender_id parameter to a different user's ID
4. Successfully transfer funds from the victim's account to any account without proper authorization

• Node.js (v14+)
• npm

1. Clone this repository
2. Navigate to the project directory
3. Install dependencies:

   npm install
   

4. Start the application:

   npm start
   

   or for development with auto-reload:

   npm run dev
   

5. Access the application at http://localhost:3000

You are a regular user of the crypto exchange. You've found out about a potential vulnerability in the fund transfer functionality and want to test if you can exploit it to transfer funds from another user's account to your own.

1. Setup Burp Suite:

   • Configure your browser to use Burp Suite as a proxy
   • Ensure Intercept is turned on

2. Login to Your Account:

   • Login with one of the following accounts:
     • Username: alice, Password: password123
     • Username: bob, Password: password123
     • Username: charlie, Password: password123

3. Identify the Victim:

   • On the dashboard, you'll see your user ID displayed
   • Your goal is to transfer funds from the user with ID 4 (username: victim)

4. Initiate a Normal Transfer:

   • Go to the "Send Funds" section
   • Select any user as the recipient
   • Enter a small amount to transfer (e.g., $10)
   • Click "Send Funds"

5. Intercept the Request with Burp Suite:

   • When you click "Send Funds," Burp Suite will intercept the POST request
   • Examine the request parameters
   • You'll see a parameter called sender_id with your user ID

6. Modify the Request:

   • Change the sender_id value from your ID to the victim's ID (4)
   • Ensure the recipient_id is set to your own user ID
   • Forward the modified request

7. Verify the Exploit:

   • If successful, you'll be redirected to the dashboard
   • Check your balance - it should have increased
   • The victim's funds have been transferred to your account without their authorization

1. Insecure Direct Object Reference (IDOR):

   • The application trusts user-supplied IDs without verifying ownership
   • No server-side validation to ensure the logged-in user owns the sending account

2. Improper Access Control:

   • The application fails to enforce proper access controls on sensitive operations
   • No authentication check for financial transactions

3. Trust in Client-Side Parameters:

   • The application blindly trusts parameters sent from the client
   • No validation against session data to ensure legitimacy

The proper fix would be to:

1. Never trust user-supplied IDs for sensitive operations
2. Always derive the sender ID from the authenticated session
3. Implement proper server-side ownership validation
4. Use cryptographic signatures or tokens to validate transaction requests
5. Implement proper logging and monitoring for suspicious activities

This application is intentionally vulnerable and is designed for educational purposes only. Do not deploy this application in a production environment or use the demonstrated techniques against real-world systems without proper authorization.

MIT