Here's a couple of things worth a try to get an IDOR
Comment below if you've other useful tips & techniques.
๐งต๐
#bugbounty #bugbountytips #infosec
Comment below if you've other useful tips & techniques.
๐งต๐
#bugbounty #bugbountytips #infosec
1. Change file type
If you've an endpoint such as /users/passoword you might want to try /users/password.json or other extensions like .xml etc.
If you've an endpoint such as /users/passoword you might want to try /users/password.json or other extensions like .xml etc.
2. Convert ID to json body or array
If you've {"id":111} that gives you 401, you might want to try {"id":[111]} and {"id":{"id":111}}
If you've {"id":111} that gives you 401, you might want to try {"id":[111]} and {"id":{"id":111}}
3. Test the endpoint in mobile environment
Sometimes, the webapps using any protected or encoded data in endpoint might be left without any protection in mobile.
Sometimes, the webapps using any protected or encoded data in endpoint might be left without any protection in mobile.
4. Change request method
GET -> POST
GET -> POST
5. Testing wildcards
If you've GET /api/v1/userlist/user1 or something similar try /api/v1/userlist/*
If you've GET /api/v1/userlist/user1 or something similar try /api/v1/userlist/*
6. Working with versioning
Many api endpoints intend to have something like /api/v2/dir and in such cases we can test v2's endpoints and parameters on api/v1 and it might give different unexpected results
Many api endpoints intend to have something like /api/v2/dir and in such cases we can test v2's endpoints and parameters on api/v1 and it might give different unexpected results
7. Remove / add parameters
Just simply removing a parameter such as in /api/users?getUID=2341234 you might want to remove getUID and it might leak info of all users
Also, try add same/different parameters such as /api/users?getUID=attackerID&getUID=victimID
Just simply removing a parameter such as in /api/users?getUID=2341234 you might want to remove getUID and it might leak info of all users
Also, try add same/different parameters such as /api/users?getUID=attackerID&getUID=victimID
8. {CLASSIC}
Replace your ID with another account ID that you've created
Eg: /sensitive/userinfo?uid=123 -? /sensitive/userinfo?uid=124
Replace your ID with another account ID that you've created
Eg: /sensitive/userinfo?uid=123 -? /sensitive/userinfo?uid=124
Hey ๐, I'm Nithin
๐ป CS / Tech
๐ฆนโโ๏ธ Infosec / Bug Bounty
๐ฐ Finance
๐ Books / Productivity
Follow @thebinarybot if you're interested in either of the topics mentioned above. I
๐ป CS / Tech
๐ฆนโโ๏ธ Infosec / Bug Bounty
๐ฐ Finance
๐ Books / Productivity
Follow @thebinarybot if you're interested in either of the topics mentioned above. I
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
