FastAPI IDOR Demo
A simple REST API for managing notes, built with FastAPI.
You are logged in as alice (user id: 2). Your note is at /notes/2.
But the app fails to verify ownership before returning a note — there's another user whose note contains the flag.
Goal: Retrieve the flag from /flag.txt via the API.
Hint: Try other note IDs. Who else has a note stored here?