Advanced IDORs - 9 Techniques by Intigriti:
1. Exploiting Basic IDORs
How to: Modify a predictable numeric ID in the request URL or parameters.
Example: GET /user/email?userId=1002 (change userId to another value).
2. Exploiting IDORs via Parameter Pollution
How to: Inject multiple instances of the same parameter in the request.
Example: POST /update_profile with user_id=1234&user_id=5678.
3. Exploiting IDORs via JSON Globbing
How to: Manipulate JSON fields with arrays, booleans, wildcards, or large integers.
Example: { "user_id": ["1234", "5678"] } or { "user_id": "*" }.
4. Exploiting Method-Based IDORs
How to: Change the HTTP method to bypass access controls.
Example: Change GET /user/data to POST /user/data.
5. Exploiting Content-Type-Based IDORs
How to: Alter the Content-Type header to manipulate request processing.
Example: Use Content-Type: application/json instead of Content-Type: text/plain.
6. Exploiting IDORs via Deprecated API Versions
How to: Use older API versions that may lack updated security checks.
Example: Access /v1/user/data instead of /v2/user/data.
7. Exploiting IDORs in APIs that Use Static Keywords
How to: Replace keywords like current or me with numerical user IDs.
Example: Change /user/profile/current to /user/profile/1002.
8. Exploiting IDORs that Require Unpredictable IDs
How to: Find references to UUIDs or hashes in other parts of the application.
Example: Extract UUID from profile URLs like /profile/123e4567-e89b-12d3-a456-426614174000.
9. Exploiting Second-Order IDOR Vulnerabilities
How to: Manipulate stored IDs used in subsequent processes.
Example: Submit a form that stores your ID, then trigger an export process that retrieves data using that stored ID.
----------------------------------------------------------
I've never seen real-world examples for some of them, but they are definitely worth the try.
#pentesting #appsec #bugbounty #cybersecurity
Here's the full scoop: https://buff.ly/3zfhhzL
1. Exploiting Basic IDORs
How to: Modify a predictable numeric ID in the request URL or parameters.
Example: GET /user/email?userId=1002 (change userId to another value).
2. Exploiting IDORs via Parameter Pollution
How to: Inject multiple instances of the same parameter in the request.
Example: POST /update_profile with user_id=1234&user_id=5678.
3. Exploiting IDORs via JSON Globbing
How to: Manipulate JSON fields with arrays, booleans, wildcards, or large integers.
Example: { "user_id": ["1234", "5678"] } or { "user_id": "*" }.
4. Exploiting Method-Based IDORs
How to: Change the HTTP method to bypass access controls.
Example: Change GET /user/data to POST /user/data.
5. Exploiting Content-Type-Based IDORs
How to: Alter the Content-Type header to manipulate request processing.
Example: Use Content-Type: application/json instead of Content-Type: text/plain.
6. Exploiting IDORs via Deprecated API Versions
How to: Use older API versions that may lack updated security checks.
Example: Access /v1/user/data instead of /v2/user/data.
7. Exploiting IDORs in APIs that Use Static Keywords
How to: Replace keywords like current or me with numerical user IDs.
Example: Change /user/profile/current to /user/profile/1002.
8. Exploiting IDORs that Require Unpredictable IDs
How to: Find references to UUIDs or hashes in other parts of the application.
Example: Extract UUID from profile URLs like /profile/123e4567-e89b-12d3-a456-426614174000.
9. Exploiting Second-Order IDOR Vulnerabilities
How to: Manipulate stored IDs used in subsequent processes.
Example: Submit a form that stores your ID, then trigger an export process that retrieves data using that stored ID.
----------------------------------------------------------
I've never seen real-world examples for some of them, but they are definitely worth the try.
#pentesting #appsec #bugbounty #cybersecurity
Here's the full scoop: https://buff.ly/3zfhhzL