vos9/Web_Hacking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create IDOR.md

Browse Source
This commit is contained in:
Mehdi 2023-09-02 15:44:00 +03:30 committed by GitHub
parent 02e55dac1b
commit 426b521be2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
IDOR.md Normal file
View File

@ -0,0 +1,79 @@
# IDOR
**1. Dont ignore encoded and hashed IDs**
if the application is using a hashed/ randomized ID, see if the ID is predictable. Sometimes applications use algorithms that produce insufficient entropy, and as such, the IDs can actually be predicted after careful analysis.
```html
GET /api_v1/messages?conversation_id=SOME_RANDOM_ID
```
```html
GET /api_v1/messages?user_id=ANOTHER_USERS_ID
```
**2. If you cant guess it, try creating it**
object reference IDs.
**3. Offer the application an ID, even if it doesnt ask for it**
id, user_id, message_id,...
```javascript
GET /api_v1/messages
// What about this one? Would it display another users messages instead?
GET /api_v1/messages?user_id=ANOTHER_USERS_ID
```
**4. HPP (HTTP parameter pollution)**
HPP vulnerabilities (supplying multiple values for the same parameter) can also lead to IDOR. Applications might not anticipate the user submitting multiple values for the same parameter and by doing so, you might be able to bypass the access control set forth on the endpoint.
```javascript
// if
GET /api_v1/messages?user_id=ANOTHER_USERS_ID
// try this
GET /api_v1/messages?user_id=YOUR_USER_ID&user_id=ANOTHER_USERS_ID
// or this
GET /api_v1/messages?user_id=ANOTHER_USERS_ID&user_id=YOUR_USER_ID
// Or provide the parameters as a list
GET /api_v1/messages?user_ids[]=YOUR_USER_ID&user_ids[]=ANOTHER_USERS_ID
// The value of a parameter is used directly to retrieve a file system resource
GET /showImage?img=img00011
```
**5. Blind IDORs**
They might lead the application to leak information elsewhere instead: in export files, emails and maybe even text alerts.
**6. Change the request method**
try instead: `GET`, `POST`, `PUT`, `DELETE`, `PATCH`
A common trick that works is substituting `POST` for `PUT` or vice versa.
**7. Change the requested file type (content type)**
For example, try adding `.json` to the end of the request URL and see what happens.
**8. Transform numerical values to arrays**
`{"id":19} → {"id":[19]}`