{% extends 'scenario-basic.html' %} {% block title-text %} Tiredful API:Insecure Direct Object Reference {% endblock %} {% block content %}

Challenge: Insecure Direct Object Reference

An online exam portal provides an API to access the result of attempt exams by a student.
Login with "batman" and try to access exam result of other user.
Following are the exam-id of test attempted by batman

  1. MQ==
  2. Mg==
Following is the API end point used to access the result.(authentication required)

GET method  http://{{ request.get_host }}/api/v1/exams/<exam_id>/

Aim: Try to access exam results of other user. {% endblock %}