• YourWeb tried integrate with Twitter.
• YourWeb request to Twitter if you authorize.
• Prompt with a consent.
• Once accepted Twitter send request redirect_uri with code and state.
• YourWeb take code and it's own client_id and client_secret and ask server for access_token.
• YourWeb call Twitter API with access_token.
1. Create two accounts if possible or else enumerate users first. 2. Check if the endpoint is private or public and does it contains any kind of id param. 3. Try changing the param value to some other user and see if does anything to their account.
🧵(2/n) :👇
➡ Testcase 1: Add IDs to requests that don’t have them
GET /api/MyPictureList → /api/MyPictureList?user_id=<other_user_id>
Pro tip: You can find parameter names to try by deleting or editing other objects and seeing the parameter names used.