A comprehensive guide to performing web app pentesting focusing on IDOR vulnerabilities and XXE attacks to escalate privileges and extract sensitive data from social network applications.
This skill demonstrates a complete web application penetration testing methodology for a social network web app, focusing on Insecure Direct Object Reference (IDOR) vulnerabilities and XML External Entity (XXE) attacks to escalate privileges and extract sensitive information.
1. **Login with provided credentials**:
- Username: `htb-student`
- Password: `Academy_student!`
2. **Use Caido for request analysis**:
- Monitor login requests
- Analyze response codes (301 redirect, 200 OK)
- Identify API endpoints
1. **Identify potential IDOR endpoint**: `/api.php/user/74`
2. **Enumerate users systematically**:
- Change user ID parameters
- Look for admin accounts
- Document user information
1. **Locate password reset functionality**: `/reset.php`
2. **Exploit IDOR in password reset**:
- Reset admin user password
- Gain admin access credentials
1. **Craft XXE payload for file disclosure**:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY Test SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">]>
<root>
<name>&Test;</name>
<details>test</details>
<date></date>
</root>
```
2. **Submit XXE payload through vulnerable form**
3. **Decode base64 response to extract flag content**
1. Implement proper access controls for user data endpoints
2. Validate user permissions before allowing password resets
3. Disable XML external entity processing
4. Use indirect object references with proper authorization checks
5. Implement comprehensive logging and monitoring
This methodology demonstrates common web application vulnerabilities and should only be used in authorized penetration testing scenarios with proper permission and scope definition.
Leave a review
No reviews yet. Be the first to review this skill!
# Download SKILL.md from killerskills.ai/api/skills/web-application-penetration-testing-idor-and-xxe-exploitation/raw