Step-by-step skill for exploiting IDOR vulnerabilities to enumerate users, reset admin credentials, and escalate to XXE file disclosure in web application pentests.
This skill has safety concerns that you should review before use. Some patterns were detected that may pose a risk.Safety score: 60/100.
KillerSkills scans all public content for safety. Use caution before installing or executing flagged content.
A comprehensive pentesting skill for identifying and exploiting IDOR (Insecure Direct Object Reference) vulnerabilities to enumerate users, escalate privileges through password reset functions, and leverage XXE (XML External Entity) injection to extract sensitive files.
This skill guides you through a realistic web application penetration test scenario where you:
1. Enumerate API endpoints using proxy tools (Caido/Burp Suite)
2. Exploit IDOR vulnerabilities to discover admin users
3. Reset admin credentials via insecure reset functions
4. Escalate to XXE injection for file disclosure
1. **Access the target application** at the provided IP and port
2. **Authenticate with standard credentials**:
- Username: `htb-student`
- Password: `Academy_student!`
3. **Intercept traffic** using Caido or Burp Suite to capture login flow
4. **Analyze responses**:
- Look for 301 redirects after successful login
- Identify API endpoints in subsequent 200 OK responses
- Note any user-specific identifiers in URLs (e.g., `/api.php/user/74`)
1. **Identify potential IDOR targets** in API endpoints
- Look for numeric user IDs in URLs like `/api.php/user/[ID]`
- Check for sequential or predictable identifiers
2. **Enumerate user endpoints**:
- Manually test adjacent IDs (73, 75, etc.)
- Or automate enumeration using Intruder/Automate:
```bash
# Example with curl
for i in {1..100}; do
curl -s "http://TARGET/api.php/user/$i" -H "Cookie: YOUR_SESSION" | grep -i admin
done
```
3. **Identify privileged accounts** (admin, superuser, etc.)
4. **Document discovered usernames** for privilege escalation
1. **Locate password reset functionality** (e.g., `/reset.php`)
2. **Test for insecure reset mechanisms**:
- Missing CSRF tokens
- Predictable reset tokens
- Direct user ID manipulation
3. **Reset admin password**:
- Submit reset request for the admin user discovered in Step 2
- Check if authorization checks are missing
- Set a new password under your control
4. **Authenticate as admin** using the new credentials
1. **Identify XML input points** (contact forms, API endpoints accepting XML)
2. **Craft XXE payload** to read sensitive files:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY Test SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">
]>
<root>
<name>&Test;</name>
<details>Pentesting payload</details>
<date></date>
</root>
```
3. **Submit the payload** through the identified input point
4. **Extract base64-encoded response** from the server
5. **Decode the flag**:
```bash
echo "BASE64_OUTPUT" | base64 -d
```
1. **Document all findings**:
- IDOR vulnerability with proof-of-concept
- Insecure password reset function
- XXE injection point and exploited file
2. **Calculate CVSS scores** for each vulnerability
3. **Provide remediation recommendations**:
- Implement proper authorization checks on API endpoints
- Add CSRF protection to password reset flows
- Disable external entity processing in XML parsers
- Use allow-lists for file access operations
Leave a review
No reviews yet. Be the first to review this skill!
# Download SKILL.md from killerskills.ai/api/skills/web-app-pentest-idor-to-xxe-privilege-escalation/raw