ZZEPHRYX//

FIELD NOTE 001

WEB PENTESTBEGINNER FRIENDLY11 MIN READ

Port 80 is open.
Now what?

I found nothing exciting during passive recon. Then one open web port gave me a place to start. Several wrong turns later, a simple request-and-response comparison exposed an IDOR.

AUTHORIZED TEST ONLY

The sequence comes from sanitized testing notes. Visuals are reconstructed with redacted values so no real target or user data is exposed.

Most writeups make a bug look inevitable: run the right tool, notice the perfect parameter, find the vulnerability. That is not how this test felt.

I had no secret trick. I followed the application, made a few weak assumptions, went down paths that returned nothing, and kept comparing what the server accepted with what it should have accepted.

00 // SCOPE

Before touching the target

This was a normal, authorized pentest. The host redacted.in was inside the agreed scope and the rules allowed non-destructive web testing.

I wrote down three limits before I started:

  • Stay inside the listed host and testing window.
  • Use only accounts and data created for the test.
  • Stop as soon as there is enough evidence to prove a security issue.
WHY THIS MATTERS

An open port is not permission. Scope is the first technical control in a legal pentest.

01 // PASSIVE RECON

I started quietly—and found almost nothing.

I checked Shodan for old services and exposed hosts. I also used simple Google searches such as site:redacted.in and looked for public documentation, login pages, and forgotten files.

The result was underwhelming: no useful subdomains, no leaked documents, and no interesting cached pages. That was still a result. It told me to stop forcing passive recon and move to the active checks allowed by the engagement.

Sanitized passive reconnaissance workspace showing no useful exposed assets for redacted.in
FIG 01 Reconstructed from sanitized notes: passive recon returned no useful lead.
02 // SERVICE DISCOVERY

Then Nmap gave me one clue: HTTP.

I ran a small, scope-limited service scan. Port 80 was open and serving HTTP. That sounds ordinary—and it is—but it changed the next question from “what is exposed?” to “what does this web application trust?”

$ nmap -sV -p 80 redacted.in
80/tcp  open  http

I opened the site in a browser before doing anything aggressive. It redirected into a working application with login and registration flows. The response headers did not reveal an obvious vulnerable version, so version hunting was not going to carry this test.

Sanitized terminal showing port 80 open for redacted.in
FIG 02 Reconstructed from sanitized output: Port 80 was a starting point, not a vulnerability.
03 // TRIAL AND ERROR

The obvious checks went nowhere.

I checked robots.txt, common public files, page source, JavaScript filenames, and a short list of likely paths. I found a few normal application routes but nothing sensitive.

I also spent time looking for a hidden admin panel. That assumption came from the site’s structure, not from evidence. It was a dead end. I stopped expanding the path list when the responses became repetitive and returned to the application itself.

ATTEMPT 01Public files

Normal responses. No secrets or useful comments.

ATTEMPT 02Hidden paths

Mostly the same not-found page. No lead.

ATTEMPT 03Version hunting

No reliable vulnerable component to validate.

MISTAKE I MADE

I was searching for a dramatic entry point. The useful clue was inside a normal authenticated feature.

04 // APPLICATION MAPPING

I stopped guessing and used the site normally.

I created two test accounts—Account A and Account B—because the rules allowed it. Then I clicked through each feature while Burp Suite recorded the traffic.

For every request, I noted four things: the action, the endpoint, the identifier being sent, and the response. A normal “view order” action stood out because the request included a predictable numeric object ID.

ACCOUNT AGET /api/orders/1042200 OKACCOUNT BGET /api/orders/1088200 OK

A numeric ID is not automatically a bug. The important question was whether the server checked that the signed-in user owned the requested object.

05 // BURP ANALYSIS

One changed number changed the result.

I sent Account A’s order request to Burp Repeater. First, I replayed it unchanged to confirm the response was stable. Then I changed only the order ID to the ID created by Account B.

The session cookie still belonged to Account A. The server returned 200 OK and included Account B’s sanitized order data. The application had authenticated the user, but it had not authorized access to that specific object.

Sanitized proxy request and response comparison demonstrating an IDOR between two controlled test accounts
FIG 03 Reconstructed from sanitized evidence: one manual identifier change returned the other controlled account’s record.
BEGINNER NOTE

What is IDOR?

Insecure Direct Object Reference happens when an application accepts an object identifier—such as an order ID—but fails to verify that the current user is allowed to access that object.

06 // SAFE VALIDATION

I proved the minimum and stopped.

I repeated the comparison once in the opposite direction using only my two controlled accounts. That confirmed the behavior was consistent. I did not enumerate other IDs, download real user data, or automate the request.

CONTROL

A requests A’s object

200 OK
TEST

A requests B’s object

200 OK — FAIL
EXPECTED

A requests B’s object

403 OR 404

I saved the original request, the single changed value, both sanitized responses, timestamps, and the two test account IDs. That was enough evidence for a reproducible report.

07 // IMPACT + FIX

Why this mattered

An authenticated user could access an object owned by another user. Depending on the real fields behind that endpoint, this could expose personal or transaction data. I reported only the impact I had actually demonstrated.

What the application should do

  • Check object ownership or permission on every server-side request.
  • Deny access by default when the user-object relationship is missing.
  • Add authorization tests for cross-account access.
  • Use unpredictable identifiers as defense in depth—not as a replacement for authorization.
  • Review nearby endpoints that use the same object-access pattern.
08 // LESSONS

What I took away from it

  1. Nothing found is still information.

    Passive recon did not fail. It helped me choose a better next step.

  2. An open port is context, not a finding.

    Port 80 only pointed me toward the application and its trust boundaries.

  3. Normal features deserve attention.

    The bug was not hidden in an exotic endpoint. It lived inside an everyday action.

  4. Change one thing at a time.

    Burp Repeater made the authorization failure easy to explain because only the object ID changed.

  5. Prove less, document more.

    Two controlled accounts and one manual comparison were enough. More access would only create more risk.

FINAL NOTE
Port 80 did not reveal the bug. It gave me a door. The finding came from slowing down and asking what every ordinary request was allowed to see.
← BACK TO WRITEUPSOPEN FREE COMMANDS →