Skip to content

WHY CTF 2025: Shoe Shop 1.0

TL;DR

  • Shopping cart page uses a numeric id parameter to identify users.
  • No access control is enforced on cart ownership.
  • Changing id allows viewing other users’ carts (classic IDOR).
  • Accessing id=1 reveals the admin cart containing the flag.

Description

We created a new shoe shop, so we can sell some shoes. Too bad the admin already put the exclusive shoe in his shopping cart, but feel free to browse around and check out if there are some shoes you like

Solution

We have an online shoe store where we can create an account, add items to the cart, view the cart etc.

Shoe Shop 1.0 homepage showing product listings and navigation options

IDOR

When going to the cart, I realise the ID is unique: page=cart&id=694

If we change the ID, it will give access to other users carts. So, let's check the #1 user for the flag.

https://shoe-shop-1.ctf.zone/index.php?page=cart&id=1

Admin shopping cart accessed via IDOR showing exclusive shoe and flag

Flag: flag{00f34f9c417fcaa72b16f79d02d33099}