Skip to content

IDOR

based on response status code 

URL='http://michalszalkowski.com/'
wfuzz -c -z 'file,ids.txt' --hc 404,403 "$URL?profile=FUZZ"

based on Content-Length response header - 200 OK for my profile - 500l 505l 425l - 200 OK for NO profile - 25l 

URL='http://michalszalkowski.com/'
wfuzz -c -z 'file,ids.txt' --hl 25 "$URL?profile=FUZZ"


<?php
  $user_id = $_GET['id'];
  $user_profile = get_user_profile($user_id);
?>

<?php
  $user_id = $_GET['id'];
  $user_session = getUserSessionFromCookie() / getUserSessionFromTokenHeader()
      -> get all perm
      -> get all groups
  throwExceptionIf().thatUser($user_session).notHaveAccessTo(USERS, $user_id)
  $user_profile = get_user_profile($user_id);
?>
id uuid user
1 3456b0cd-4ffe-4ed9-b64d-01cd33682c86 admin
2 c92c6c42-4773-4a69-b5f4-ed770985552f michal
3 57057590-1a38-4321-9bcb-c5513259fb02 hacker 
<?php
  $user_uuid= $_GET['uuid'];
    $user_session = getUserSessionFromCookie() / getUserSessionFromTokenHeader()
      -> get all perm
      -> get all groups
  throwExceptionIf().thatUser($user_session).notHaveAccessTo(USERS, $user_uuid)
  $user_profile = get_user_profile($user_uuid);
?>

media_table

id uuid filename owner(user_id)
1 3456b0cd-4ffe-4ed9-b64d-01cd33682c86 marta.jpg 52
2 c92c6c42-4773-4a69-b5f4-ed770985552f michal.jpg 53
3 57057590-1a38-4321-9bcb-c5513259fb02 hacker.jpg 54