Web App Pentest - IDOR & XXE Exploitation

This skill guides you through a systematic approach to web application penetration testing, focusing on IDOR (Insecure Direct Object Reference) and XXE (XML External Entity) vulnerabilities to achieve privilege escalation and data exfiltration.

Scenario Context

This workflow is designed for authorized security testing of web applications, particularly social networking platforms. The goal is to identify vulnerabilities, escalate privileges from a standard user account to administrator access, and extract sensitive data through proper exploitation techniques.

Step-by-Step Instructions

Phase 1: Initial Enumeration

1. **Intercept and analyze authentication flow**

- Use a web proxy tool (Caido, Burp Suite, or similar)

- Log in with provided test credentials

- Capture all HTTP requests and responses during login

- Document the authentication mechanism (session tokens, cookies, etc.)

2. **Map redirect chains and API endpoints**

- Identify 301/302 redirects following successful authentication

- Note all API endpoints exposed to authenticated users

- Pay special attention to user-specific endpoints (e.g., `/api.php/user/{id}`)

3. **Identify potential attack surfaces**

- Look for endpoints that accept user-controllable IDs

- Document any XML processing endpoints

- Note file upload or data import functionality

- Map out user roles and access levels visible in responses

Phase 2: IDOR Vulnerability Exploitation

4. **Test for IDOR on user enumeration**

- Locate user-specific API endpoints (e.g., `/api.php/user/74`)

- Systematically enumerate user IDs by incrementing/decrementing values

- Document all discovered user accounts, especially privileged ones (admin, moderator)

- Extract usernames, email addresses, or other identifying information

5. **Identify privilege escalation paths**

- Look for password reset functionality (`/reset.php` or similar)

- Check if password reset requests validate authorization properly

- Test if you can reset passwords for other users (especially admin accounts)

- Attempt to change admin credentials using IDOR in reset functionality

6. **Escalate to administrative access**

- Use discovered admin username with the compromised/reset password

- Verify successful authentication as administrator

- Document all new functionality available to admin role

Phase 3: XXE Injection for Data Exfiltration

7. **Identify XML processing endpoints**

- Look for features that accept XML input (contact forms, data imports, API endpoints)

- Test if the application parses XML entities

- Check for error messages that reveal XML parsing behavior

8. **Craft XXE payload for file disclosure**

- Use PHP filter wrapper to encode sensitive files (bypasses restrictions)

- Target known sensitive files (e.g., `/flag.php`, configuration files, source code)

- Example payload structure:

```xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE email [

<!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=/path/to/sensitive/file">

<root>

</root>

```

9. **Extract and decode sensitive data**

- Submit the XXE payload through the vulnerable endpoint

- Capture the base64-encoded response

- Decode the base64 string to reveal file contents

- Document the extracted data (flags, credentials, configuration secrets)

Important Constraints

**Authorization Required**: Only use this skill on systems you have explicit written permission to test (penetration testing engagements, CTF competitions, authorized bug bounty programs, or your own systems)

**Document Everything**: Keep detailed logs of all requests, responses, and findings

**Avoid Destructive Actions**: Do not delete data, modify other users' data (except test accounts), or perform denial-of-service attacks

**Responsible Disclosure**: Report all findings to the application owner through proper channels

**Legal Compliance**: Ensure all testing activities comply with applicable laws and regulations

Example Usage

**User request**: "I need to test a web application for IDOR and XXE vulnerabilities as part of an authorized pentest engagement"

**AI agent response**:

1. Set up web proxy to intercept traffic

2. Authenticate with test credentials and map all API endpoints

3. Enumerate users via `/api.php/user/{id}` endpoint

4. Exploit IDOR in password reset to gain admin access

5. Test XML processing endpoints for XXE vulnerability

6. Extract sensitive files using PHP filter wrapper

7. Document all findings with screenshots and reproduction steps

Key Files and Endpoints to Target

Authentication endpoints (login, password reset)

User profile/account management APIs

XML processing features (contact forms, import functions)

Configuration files (`/flag.php`, `config.php`, `.env`)

Admin panels and privileged functionality

Web App Pentest - IDOR & XXE Exploitation

Web App Pentest - IDOR & XXE Exploitation

Scenario Context

Step-by-Step Instructions

Phase 1: Initial Enumeration

Phase 2: IDOR Vulnerability Exploitation

Phase 3: XXE Injection for Data Exfiltration

Important Constraints

Example Usage

Key Files and Endpoints to Target

Reviews (0)