Top IDOR ( Insecure direct object reference)
Thread π§΅:π(1/12) Here is how to find IDOR all possible methods
" IDOR is a low hanging fruit which takes no skill with higher bounty" - can bypass payment , PII leak and want not π
#BugBounty #bugbountytips #infosec #IDOR
Thread π§΅:π(1/12) Here is how to find IDOR all possible methods
" IDOR is a low hanging fruit which takes no skill with higher bounty" - can bypass payment , PII leak and want not π
#BugBounty #bugbountytips #infosec #IDOR
1) IDOR to delete images from other stores profile pic
a) facebook IDOR image delete - shorturl.at/fmsyY
b) hackerone report id -404797
a) facebook IDOR image delete - shorturl.at/fmsyY
b) hackerone report id -404797
2) Is the ID encoded or not in plaintext?
- change the setting of user by changing there id id on base64 H1 report id - 291721
3) Can a file/resource be accessed directly from the url, without needing prior authentication?
-H1 258260, 230870, 126861
- change the setting of user by changing there id id on base64 H1 report id - 291721
3) Can a file/resource be accessed directly from the url, without needing prior authentication?
-H1 258260, 230870, 126861
4) Found mail subsciption Find IDOR there to unscubscribe anyone
-H1 report - 230328
5) Are there bypasses, like finding similar sites with less protection - (full account takeover )
-H1 report 271393, 876300, 715054
-H1 report - 230328
5) Are there bypasses, like finding similar sites with less protection - (full account takeover )
-H1 report 271393, 876300, 715054
6) Can you get an IDOR by changing the request method, or does the exploit involve using a different method?
-H1 297751
7) Are IDs not actually numbers but strings? Sometimes the IDOR can be exploited via a username or email change instead of an ID.
-H1 262661, 152407, 587687
-H1 297751
7) Are IDs not actually numbers but strings? Sometimes the IDOR can be exploited via a username or email change instead of an ID.
-H1 262661, 152407, 587687
8) IDOR can lead to LEak PII
-H1 report 293490, 980511, 723461, 668439, 783708, 439729, 152407
9) Can we you bypass payment by IDOR
-H1 report 391092
-H1 report 293490, 980511, 723461, 668439, 783708, 439729, 152407
9) Can we you bypass payment by IDOR
-H1 report 391092
10) Can you do actions on otherβs behalfs
-H1 report 1005020, 725569, 258260
11) Can you destroy or damage any assets or info?
- H1 report 156537, 264754, 153905, 120115
-H1 report 1005020, 725569, 258260
11) Can you destroy or damage any assets or info?
- H1 report 156537, 264754, 153905, 120115
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
