16.4.7.5.1 Understanding Implications of Using X01
Understand how an authenticated user can change the value of an image ID in the image URL using an image-serving page.
When viewing a page containing image URLs using the
x01 parameter,
if an authenticated user knows the ID of a different image, they can view
it by:
- Selecting Copy Image Address from the context menu on an existing image in the page,
- Creating a new browser tab and pasting the copied URL into the address bar,
- Manually modifying the
x01=123456tox01=98765, and pressing [Enter].
In Woods HR, where any authenticated user can view any break room photo, it's no problem.
Parent topic: Weighing X01 Against a Secure Page Item