About this Site

Purpose. This site is a controlled teaching environment used in the VU23222 unit at Charles Darwin University (CDU). The exercise is designed to help students learn how insecure client-side controls and poorly implemented access checks can lead to privilege escalation and data disclosure. The lab is intentionally insecure — it is safe to test only within this environment.

Copyright & Use Restrictions

© 2026 Stan Gritsienko. This site and its content are the intellectual property of the instructor and are provided solely for the academic use of CDU students enrolled in VU23222. Use, copying, distribution, or testing of this site is permitted only by enrolled CDU students and staff for course activities. Any other use is prohibited without express written permission.

Rules & Legal / Ethical Notice

• This environment is provided for authorised teaching and assessment only. Do not attempt to apply any techniques learned here on systems you do not own or have explicit permission to test.
• Use fake emails and passwords for registration. Do not use real or personal credentials anywhere in this lab.
• All activities must be performed in accordance with CDU policies and your course code of conduct. Misuse may result in disciplinary action.

Exercise Overview (what to do)

The exercise focuses on two common web security issues: (1) trusting client-side data for authorization and (2) Insecure Direct Object References (IDOR). The required deliverable is a screenshot showing your account (or the admin view) as described in the assessment instructions.

High-level steps

1. Register on this site using a fake email and password (follow the registration form).
2. Observe the login flow using an interception/proxy tool configured in your browser (this lab uses Kali + an intercepting proxy as the teaching platform). Examine the HTTP request sent by the browser: note the request method, the parameter names that carry credentials, and any cookies the server sets.
3. Investigate how the server uses client-side values for authorization. In this lab you will see that a client-side cookie (an authorization flag) can be changed to alter the server’s response.
4. Experiment (within the lab only): using the interception proxy you may modify client-side values to observe server behaviour. The assessment expects you to demonstrate that changing the authorization flag exposes the admin view that lists registered users.
5. IDOR investigation. There is additionally an IDOR weakness in the site: by adjusting a numeric identifier in a URL or parameter you can access other users’ records. Explore this only against this lab instance and within the assessment scope.
6. Evidence. Capture the required screenshot(s) as stated in the assessment brief - for example, a screenshot of the admin panel showing your user record - and submit them according to the assessment instructions.

Learning objectives

• Understand why authorisation must be enforced server-side and never rely on client-controlled values.
• Recognise common weaknesses such as trusting authorization cookies and IDORs.
• Practice safe, legal testing using an isolated lab environment and proper evidence capture.

Support & Contact

If you encounter problems with the lab environment (site errors, database reset required, or missing accounts), contact the instructor: stan.gritsienko@vdu.edu.au. Do not attempt to fix server-side issues by probing beyond the lab scope - report them so the instructor can reset the environment.

By using this lab you confirm you will respect the allowed use and legal/ethical restrictions set out above.