1. Create two accounts if possible or else enumerate users first. 2. Check if the endpoint is private or public and does it contains any kind of id param. 3. Try changing the param value to some other user and see if does anything to their account.
🧵(2/n) :👇
➡ Testcase 1: Add IDs to requests that don’t have them
GET /api/MyPictureList → /api/MyPictureList?user_id=<other_user_id>
Pro tip: You can find parameter names to try by deleting or editing other objects and seeing the parameter names used.
🧵(3/n) :👇
➡ Testcase 2: Try replacing parameter names
🧵(4/n) :👇
➡ Testcase 3: Supply multiple values for the same parameter.
🧵(5/n) :👇
➡ Testcase 4: Try changing the HTTP request method when testing for IDORs
🧵(6/n) :👇
➡ Testcase 5: Try changing the request’s content type
🧵(7/n) :👇
➡ Testcase 6: Try changing the requested file type (Test if Ruby)
🧵(8/n) :👇
➡ Testcase - 7: Does the app ask for non-numeric IDs? Use numeric IDs instead
🧵(9/n) :👇
➡ Testcase 8: Try using an array
🧵(10/n) :👇
➡ Testcase 9: Wildcard ID
🧵(11/n) :👇
➡ Testcase 10: Pay attention to new features
🧵(12/n) :👇
➡ Extra IDOR Tips :
• Looking for high impact IDOR?
• Always try to find the hidden parameters for this endpoints using Arjun and Parameth
• /settings/profile
• /user/profile
• /user/settings
• /account/settings
• /username
• /profile
And any payment endpoint
🧵13/n👇
Thanks For Reading This Amazing Thread 🧵On :
Testing for IDOR ( Manual-Method )
A JavaScript bookmarklet for extracting all webpage endpoint links on a page.
Created by @renniepak, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on webpage.
1/n
Usage (Bookmarklet)
Create a bookmarklet...
• Right-click your bookmark bar
• Click 'Add Page'
• Paste the above Javascript in the 'url' box
• Click 'Save'
...then visit the victim page in the browser and click the bookmarklet.