PantsirПанцирь
Preparing access
Checking your lab membership...
Created 10 Feb 2026Updated 13 Feb 2026
Support Tickets API (IDOR in Rust)
A Rust support-ticket API reads records by ID without owner scoping, creating an IDOR access-control flaw.
rust190 pts20 min

Story

You are maintaining an internal support API used by agents and customers to track ticket status. A mobile client recently added a direct "open ticket by ID" feature for deep links.

Within hours of launch, customer success reports that users can view unrelated tickets by changing the numeric ID in the URL.

System Context

The service has three relevant routes:

  • GET /api/tickets/mine owner-scoped list
  • GET /api/tickets/{id} single-ticket fetch (reported vulnerable)
  • GET /api/tickets/mine/{id} secure reference path

Identity is supplied via headers and parsed into UserContext.

Problem

The ticket detail route resolves records by numeric identifier but does not consistently scope that lookup to the authenticated user’s ownership context. Because ticket IDs are predictable enough to iterate, callers can request objects that belong to other users and still receive valid responses. This creates direct cross-tenant data exposure in a path that should be strictly owner-scoped.

Goal

Find the exact vulnerable line in the project code.

Content locked
Join this lab to access the content.
.env.exampleplaintext