Insecure Direct Object Reference (IDOR)

Introduction

IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system.

Where to find

  • Usually it can be found in APIs.

  • Check the HTTP request that contain unique ID, for example user_id or id

How to exploit

  1. Add parameters onto the endpoints for example, if there was

GET /api/v1/getuser HTTP/1.1
Host: example.com
...

Try this to bypass

GET /api/v1/getuser?id=1234 HTTP/1.1
Host: example.com
...

  1. HTTP Parameter pollution

  1. Add .json to the endpoint

Try this to bypass

  1. Test on outdated API Versions

Try this to bypass

  1. Wrap the ID with an array.

Try this to bypass

  1. Wrap the ID with a JSON object

Try this to bypass

  1. JSON Parameter Pollution

  1. Try decode the ID, if the ID encoded using md5,base64,etc

dmljdGltQG1haWwuY29t => victim@mail.com

  1. If the website using GraphQL, try to find IDOR using GraphQL

  1. MFLAC (Missing Function Level Access Control)

Try this to bypass

  1. Try to swap uuid with number

Try this to bypass

  1. Change HTTP Method

Try this to bypass

  1. Path traversal

Try this to bypass

  1. Change request Content-Type

Try this to bypass

  1. Send wildcard instead of ID

Try this to bypass

  1. Try google dorking to find new endpoint

References

PreviousHost Header InjectionNextLocal File Inclusion

Last updated