Capability URL Explorer
This tool helps you understand how capability URLs can be analyzed andβwhen poorly implementedβenumerated. Enter a URL to decode its token, or explore a range of IDs to discover files.
Remember: security through obscurity only works when the obscurity is actually... obscure.
URL Analyzer
We'll decode the token and show you adjacent IDs.
Analysis Results
ID Enumerator
Scan a range of IDs to discover files. This simulates what an attacker could do if they guessed that IDs are sequential.
Vault Statistics
Loading...
Token Scheme Reference
capabilityIRL supports four "security" schemes. Each has its own encoding methodβand its own fatal flaw.
| Scheme | Format | Security Rating | The Flaw |
|---|---|---|---|
| Sequential | 1, 2, 3... |
β β β β β | Just increment the number |
| Base64 | c2VjcmV0X2ZpbGVfMQ== |
β β β β β | Base64 is encoding, not encryption |
| Timestamp | m5x9k2-1 |
β β β β β | ID is just base36 after the hyphen |
| UUID-ish | f47ac10b-58cc-4372-a567-000000010000 |
β β β β β | Last segment is hex-encoded ID |
All four schemes share the same fundamental flaw: the file ID is deterministically derivable from the token. No matter how fancy the encoding looks, you can always extract the ID and enumerate adjacent files.
Try It Out
No files in the vault? Load some demo data to explore the vulnerability.