> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/bypass/access-control/trick-0274.md).

# Insecure Direct Object Reference Via Path Fuzzing

***

Access objects you are not authorized to view by fuzzing identifiers directly in the URL path or discovering hidden paths and files. Use a tool like `wfuzz` to substitute potential IDs or directory/file names in the path component.

For example, to fuzz numerical IDs in the path `/FUZZ/block`, while providing necessary cookies and hiding noise (responses of size 179 bytes):

```bash
wfuzz -u http://drive.htb/FUZZ/block -H 'Cookie: csrftoken=...; sessionid=...' -w wordlist.txt --hh 179 -L
```

Replace `wordlist.txt` with a list of potential IDs (e.g., numbers 0-100) or use `wfuzz`'s built-in numerical fuzzing capabilities if supported for the path position. Adjust the URL, cookie, and hide flag (`--hh`) based on the target. The `-L` flag follows redirects, which can be useful if valid IDs redirect to content pages.

Another common scenario is fuzzing user IDs. To find valid user IDs, one might use `wfuzz` targeting a path like `/users/FUZZ`:

```bash
wfuzz -u http://example.com/users/FUZZ -w /path/to/id_list.txt --hc 404
```

This command targets the `/users/FUZZ` path, replacing FUZZ with values from `id_list.txt`. The `--hc 404` flag hides responses with a 404 status code, helping to filter out invalid IDs and focus on responses indicating a valid user.

You can also fuzz a path component using standard wordlists, for instance, iterating through numbers from a common security wordlist:

```bash
wfuzz -u http://target.com/path/to/FUZZ -w /usr/share/wordlists/seclists/Fuzzing/numbers.txt
```

This will iterate through numbers from the wordlist and replace FUZZ in the URL. The choice of wordlist depends on the expected format of the identifier being fuzzed.

Beyond simple IDs, Wfuzz can be used to look for hidden content, such as files and directories, within a web server, allowing to find further attack vectors. This is often referred to as path or directory fuzzing.

A basic command to fuzz for common directories using a wordlist might look like this:

```bash
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://FUZZ/
```

Here, `-c` colors the output, `-z file,...` specifies the payload type and wordlist, `--hc 404` hides responses with a 404 status code, and `http://FUZZ/` indicates the target URL with the fuzzing position. Similarly, using a different common wordlist:

```bash
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://testphp.vulnweb.com/FUZZ/
```

The `--hc 404` option is useful to filter out "Not Found" responses, focusing on potentially interesting paths. Other filtering options include hiding responses based on size (`--hh <size>`) or number of lines (`--hl <lines>`). For example, to hide responses of size 0 bytes or 0 lines:

```bash
wfuzz -c -z file,wordlist.txt --hh 0 http://example.com/FUZZ
wfuzz -c -z file,wordlist.txt --hl 0 http://example.com/FUZZ
```

Wfuzz also supports multiple fuzzing points in a single request. This is useful, for instance, when fuzzing for files with different extensions. You can define multiple `FUZZ` positions and assign different wordlists or lists to them. For example, to fuzz for common files with `.php`, `.html`, or `.txt` extensions:

```bash
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -z list,php,html,txt --hc 404 http://testphp.vulnweb.com/FUZZ.FUZ2Z
```

In this command, `FUZZ` will be replaced by entries from `common.txt`, and `FUZ2Z` will be replaced by `.php`, `.html`, or `.txt` from the list.
