Difficulty: Easy
Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you
Finding IDOR Attack Vectors Ideas:
- What do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by replacing high privaledge authorization with lower privaledge authorization and seeing what the server responds with
- Understand how they use ID's, hashes, and their API. Do this by looking at the API Documentations if they have one.
Every time you see a new API endpoint that receives an object ID from the client, ask yourself the following questions:
- Does the ID belong to a private resource? (e.g /api/user/123/news vs /api/user/123/transaction)
- What are the IDs that belong to me?
- What are the different possible roles in the API?(For example — user, driver, supervisor, manager)
- Add parameters onto the endpoints for example, if there was
GET /api_v1/messages --> 401
vs
GET /api_v1/messages?user_id=victim_uuid --> 200- HTTP Parameter pollution
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]- Add .json to the endpoint, if it is built in Ruby!
/user_data/2341 --> 401 Unauthorized
/user_data/2341.json --> 200 OK- Test on outdated API Versions
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK- Wrap the ID with an array.
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK- Wrap the ID with a JSON object:
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK- JSON Parameter Pollution:
POST /api/get_profile
Content-Type: application/json
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}- Try to send a wildcard(*) instead of an ID. It’s rare, but sometimes it works.
- If it is a number id, be sure to test through a large amount of numbers, instead of just guessing
- If endpoint has a name like /api/users/myinfo, check for /api/admins/myinfo
- Replace request method with GET/POST/PUT
- Use burp extension autorize
- If none of these work, get creative and ask around!
- Lets say you find a low impact IDOR, like changing someone elses name, chain that with XSS and you have stored XSS!
- If you find IDOR on and endpoint, but it requires UUID, chain with info disclosure endpoints that leak UUID, and bypass this!
- If none of these work, get creative and ask around!
https://twitter.com/swaysThinking/status/1301663848223715328
- IDOR to delete images from other stores
- IDOR in changing shared file name
- User uploaded portfolio files can be accessed by any user even after deleted
- IDOR and statistics leakage in Orders
- I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD)
- IDOR allow access to payments data of any user
- IDOR allow to extract all registered email
- IDOR at https://account.mackeeper.com/at/load-reports/profile/<profile_id> leaks information about devices/licenses
- IDOR bug to See hidden slowvote of any user even when you dont have access right
- IDOR on update user preferences
- idor on upload profile functionality
- IDOR to view User Order Information
- IDOR with Geolocation data not stripped from images
- Replace other user files in Inbox messages