In this chapter we will be going on with the API we built in the previous exercise but this time we will be faking some things to emulate a BAC/IDOR issue for educational purposes. Later on we will create a full on login system and implement a full IDOR but for this chapter we are going to fake it by building 2 arrays and reading the list from 1 array while grabbing the details from a second array with an extra element. This might seem a bit confusing but let's dig into it to show you it does not have to be hard.
To start with, we will need to set up a virtual environment first. This is a place we can install our dependencies of a certain project on and keep them seperate from the other projects. This is very useful to keep oversight but also if you have one project that requires a certain version of an import while another project might need a much older and non-compatible version of that library.
mkdir "GoudAPI-BAC"
cd GoudAPI-BAC
python3 -m venv GoudAPI-BAC
mkdir GoudAPI-BAC
cd GoudAPI-BAC
py -3 -m venv GoudAPI-BAC
With these commands we are creating a venv (virtual enviornment) called GoudAPI-BAC which is marked by a new folder, now we have to swith to it.
. GoudAPI-BAC/bin/activate
GoudAPI-BAC\\Scripts\\activate
And now we can easily use pip to install flask
pip install Flask
Now that flask is installed, we can easily create our first vulnerable API.
We will first need to write a few lines of code to tell python it should start a flask web application.