Support Tickets API (IDOR in Rust) - Lab

Pantsir has just launched. If you find any issues, report to @kartik_mehta8.
For companies wanting to publish their own lab, contact @kartik_mehta8.

PantsirПанцирь

Preparing access

Checking your lab membership...

Created 10 Feb 2026Updated 10 Feb 2026

Support Tickets API (IDOR in Rust)

A Rust support-ticket backend exposes direct object access by ID without ownership checks, enabling IDOR.

rust190 pts20 min

Overview

The Support Tickets backend is a small Rust API for internal customer support tooling.

Main endpoints:

GET /health for health checks
GET /api/tickets/mine for listing the caller's own tickets
GET /api/tickets/{id} for fetching one ticket

The security team reported that users can read other users' tickets by changing the ticket ID.

Your task: inspect the Rust server code and identify the exact vulnerable line that enables IDOR (Insecure Direct Object Reference), which is part of OWASP A01 Broken Access Control.

Recently created

Jump to the latest lab.

Solana Vault Escrow (Broken Access Control)

A Solana Anchor escrow vault instruction allows unauthorized emergency withdrawals due to a missing authority match check.

Files

support-tickets-idor-rust

Wrap

Content locked

Join this lab to access the content.

Cargo.tomlplaintext