From IDOR lesson 4 the URL for viewing a profile is known
http://<webgoat_IP>:<webogat_port>/WebGoat/IDOR/profile/<userId>Let’s see if it is possible to guess another user ID
This is the request for my own profile, the userId is 7 digits long, running through 10⁷ numbers is a bit too much, so let’s try to fuzz some of those IDs with FFUF — https://github.com/ffuf/ffuf
On most Unix-like systems, it is possible to use the “seq” command to get a list of numbers
seq -f "%03g" 000 999 > numbers.txtThis command in particular creates a list of 3 digits numbers, from 000 to 999, and saves it to “numbers.txt”
ffuf -c -w numbers.txt \
-u http://192.168.56.104:8080/WebGoat/IDOR/profile/2342FUZZ \
-H "Host: 192.168.56.104:8080" \
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \
-H "Accept-Language: en-US,en;q=0.5" \
-H "Accept-Encoding: gzip, deflate" \
-H "Cookie: JSESSIONID=AW1KfKZeFf4b9IyuZEYyyfvO1Aijt9sKmF2eztv2; WEBWOLFSESSION=RLa_vgmDgoZ-HFul3qVfSaEsR0EWlpPbnllTpPy9" \
-mc 200 -t 1This FFUF command is for:
- -c -> colored output
- -w numbers.txt -> uses the previously created numbers list as fuzzing wordlist
- -u http://192.168.56.104:8080/WebGoat/IDOR/profile/2342FUZZ -> fuzzes this URL by substituting the FUZZ keyword with each number from the wordlist in turn
- -H <something> -> all of the -H parameters are request headers to make every request as similar as possible to the one obtained from Burp HTTP history
- -mc 200 -> shows only responses matching status code 200
- -t 1 -> number of threads, it is possible to fuzz much faster than this, but since my WebGoat install is on a VirtualBox with limited resources, if I increase the number of threads sometime I get errors instead of status code 200 when fuzzing
The important bit here, in my opinion, is the “-mc <match by status code>” as it is not much of use to get a list of a thousand response codes where you have to manually look for status codes 200
It is possible to change the command by using “-fs <filter by size>” and insert the size value for a non-valid user ID, or even “-fc <filter by code>” and get rid of all status codes 500
This choice really depends on how the target webapp responds to valid and invalid requests, sometime the return status code is 200 even if it contains an error, this all depends on how the webapp/web server has been developed/configured so this is not a “one size fits all” command at all
WebGoat returns status code 200 for two values from the wordlist: 384 and 388, as we know our user ID is 2342384, so the 2342388 must be another user ID, the lesson is already completed since the request has already been sent
So just, for verification, by sending the same “388” request from Burp Repeater it is possible to check the response
The choice of using FFUF instead of Burp Intruder is because Burp Community Edition is intentionally slow in fuzzing and I was not sure how much fuzzing was needed to get the correct user ID, meanwhile FFUF does the job wonderfully and at times even too fast
Ok so now it’s time to change Buffalo Bill user details
By changing the GET to POST and adding the details as from the response from the GET request, WebGoat responds that POST is not allowed and in fact in the “Allow” header it lists only GET and PUT
Method is now PUT, and this time the response error is “Unsupported Media Type” so the “Content-Type” header must be changed
“Content-Type” is now “application/json” and the response error is “Bad Request”
By reading the “trace” of the response it is clear that the formatting of the data is wrong as it is not what WebGoat (Spring) is expecting (JSON)
Once the data payload matches the expected JSON format, the lesson is completed
This concludes WebGoat IDOR 5
I hope you liked it.
PVXs — https://twitter.com/pivixih
