Insecure Direct Object Reference
IDOR Checklist
Basics
https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html For example, let's say we're logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong. There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else's bank information.
How to Find
Add parameters onto the endpoints for example, if there was
Try this to bypass
HTTP Parameter pollution
Add .json to the endpoint
Try this to bypass
Test on outdated API Versions
Try this to bypass
Wrap the ID with an array.
Try this to bypass
Wrap the ID with a JSON object
Try this to bypass
JSON Parameter Pollution
Try decode the ID, if the ID encoded using md5,base64,etc
dmljdGltQG1haWwuY29t => victim@mail.com
If the website using graphql, try to find IDOR using graphql!
MFLAC (Missing Function Level Access Control)
Try this to bypass
Try to swap uuid with number
Try this to bypass
Change HTTP Method
Try this to bypass
Path traversal
Try this to bypass
Change request content type
Try this to bypass
Send wildcard instead of ID
Try this to bypass
Try google dorking to find new endpoint
Reference:
@swaysThinking and other medium writeup
Last updated