Broken Access Control

• Use account-A's Cookie/ Authorization-token to access account-B's Resources/Objects

• Use the newsletter unsubscribe Session to Access any Victim's PII

• Use The non-confirmed email session to access any of resources that demands Confirmed user

Play with Request / Response

• Understand the pattern [ Sequential | Encoded | UUID (aka GUID) | Other ]

• Change -> Next/Previous value -> Compute/Predict -> Data Type [string->number] -> Method [GET/POST]

• Duplicate -> ?id=1&id=2

• Add as an array -> ?id[]=1&id[]=2

• Wildcard -> GET /users/id -> GET /users/*

• Cross-deployments IDs -> Identify other deployments (hosts) of your target API

• UUID Hacking -> tool read more

Excessive Data Exposure

• Check if the API returns full data objects from database with sensitive data

• Compare client data with the API response to check if the filtering is done by client side

• Sniff the traffic to check for sensitive data returned by the API

Broken Function Level Authorization

• Can a regular user access administrative endpoints?

• Testing different HTTP methods (GET, POST, PUT, DELETE, PATCH) will allow level escalation?

• Enumerate/Bruteforce endpoints for getting unauthorized requests

• Check for Forbidden Features for low privilege user and try to use this features

Mass Assignment

1. Enumerate object properties

• API documentation

• Exercise data retrieval endpoints -> watch-out for ?include=user.addresses,user.cards-like parameters

• Uncover hidden properties

• Guessing, based on API context

• Reverse engineering available API clients

• Use param-miner tool OR Arjun to guess parameters
• Do some Parameters-Values Tampers [[JSON Tests Cheat Sheet]]

Improper Assets Management

• Check for the API documentation

• Hosts inventory is missing or outdated

• Integrated services inventory, either first- or third-party, is missing or outdated

• Old or previous API versions are running unpatched

Checklist

IDOR Checklist

• Find and Replace 10s in urls, headers and body: /users/01 → /users/02

• Try Parameter Pollution: users-01 users-01&users-02

• Special Characters: /users/01 of /users/* → Disclosure of every single user

• Try Older versions of api endpoints: /api/v3/users/01 → /api/v1/users/02

• Add extension: /users/01 → /users/82.json

• Change Request Methods: POST /users/81 → GET, PUT, PATCH, DELETE etc

• Check if Referer or some other Headers are used to validate the IDs: GET /users/02 → 403 Forbidden Referer: [example.com/users/01](<http://example.com/users/01>) GET /users/82 → 200 OK Referer: [example.com/users/02](<http://example.com/users/02>)

• Encrypted IDs: If application is using encrypted IDs, try to decrypt using hashes.com or other tools.
• Swap GUID with Numeric ID or email: /users/1b84c196-89f4-4260-b18b-ed85924ce283 or /users/82 or /users/agb.com

• Try GUIDs such as: 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111

• GUID Enumeration: Try to disclose GUIDs using Google Dorks, Github, Wayback, Burp history

• If none of the GUID Enumeration methods work then try: Signup, Reset Password, Other endpoints within application and analyze response. These endpoints mostly disclose user's GUID.

• 403/401 Bypass: If server responds back with a 403/401 then try to use burp intruder and send 50-100 requests having different IDs: Example: from /users/01 to /users/100

• if server responds with a 403/401, double check the function within the application. Sometime 403/401 is thrown but the action is performed.

• Blind IDORS: Sometimes information is not directly disclosed. Lookout for endpoints and features that may disclose information such as export files, emails or message alerts.

• Chain IDOR with XSS for Account Takeovers.

• Bruteforce Hidden HTTP parameters

• send wildcard instead of an id

• Missing Function Level Acess Control

• Bypass object level authorization Add parameter onto the endpoit if not present by defualt

GET /api_v1/messages ->200GET /api_v1/messages?user_id=victim_uuid ->200

• HTTP Parameter POllution Give mult value for same parameter

GET /api_v1/messages?user_id=attacker_id&user_id=victim_idGET /api_v1/messages?user_id=victim_id&user_id=attacker_id

• change file type

GET /user_data/2341        -> 401GET /user_data/2341.json   -> 200GET /user_data/2341.xml    -> 200GET /user_data/2341.config -> 200GET /user_data/2341.txt    -> 200

• json parameter pollution

{"userid":1234,"userid":2542}

• Wrap the ID with an array in the body

{"userid":123} ->401{"userid":[123]} ->200

• wrap the id with a json object

{"userid":123} ->401{"userid":{"userid":123}} ->200

• Test an outdata API version

GET /v3/users_data/1234 ->401GET /v1/users_data/1234 ->200

• If the website using graphql, try to find IDOR using graphql!

• exif_geo

  Summary

  When a user uploads an image in example.com, the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of example.com users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

  Steps to reproduce:

  1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)\
  2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s

  3. Go to Upload option on the website

  4. Upload the image

  5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )\

  6. open it (http://exif.regex.info/exif.cgi)
  7. See wheather is that still showing exif data , if it is then Report it.

  Reports (Hackerone)

  • IDOR with Geolocation data not stripped from images

  Insecure Direct Object Reference (IDOR)

  • Disclose Private Dashboard Chart's name and data in Facebook Analytics
  • Disclosing privately shared gaming clips of any user
  • Adding anyone including non-friend and blocked people as co-host in personal event!
  • Page analyst could view job application details
  • Deleting Anyone's Video Poll
• Try decode the ID, if the ID encoded using md5,base64,etc

GET /GetUser/dmljdGltQG1haWwuY29t
[...]

• change HTTP method

GET /users/delete/victim_id  ->403
POST /users/delete/victim_id ->200

• Try replacing parameter names

Instead of this:
GET /api/albums?album_id=<album id>

Try This:
GET /api/albums?account_id=<account id>

Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.

• Path Traversal

POST /users/delete/victim_id          ->403
POST /users/delete/my_id/..victim_id  ->200

• change request content-type

Content-Type: application/xml ->
Content-Type: application/json

• swap non-numeric with numeric id

GET /file?id=90djbkdbkdbd29dd
GET /file?id=302

• Missing Function Level Acess Control

GET /admin/profile ->401
GET /Admin/profile ->200
GET /ADMIN/profile ->200
GET /aDmin/profile ->200
GET /adMin/profile ->200
GET /admIn/profile ->200
GET /admiN/profile ->200

• send wildcard instead of an id

GET /api/users/user_id ->
GET /api/users/*

• Never ignore encoded/hashed ID

for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD

• Google Dorking/public form

search all the endpoints having ID which the search engine may have already indexed

• Bruteforce Hidden HTTP parameters

use tools like arjun , paramminer 

• Bypass object level authorization Add parameter onto the endpoit if not present by defualt

GET /api_v1/messages ->200
GET /api_v1/messages?user_id=victim_uuid ->200

• HTTP Parameter POllution Give mult value for same parameter

GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
GET /api_v1/messages?user_id=victim_id&user_id=attacker_id

• change file type

GET /user_data/2341        -> 401
GET /user_data/2341.json   -> 200
GET /user_data/2341.xml    -> 200
GET /user_data/2341.config -> 200
GET /user_data/2341.txt    -> 200

• json parameter pollution

{"userid":1234,"userid":2542}

• Wrap the ID with an array in the body

{"userid":123} ->401
{"userid":[123]} ->200

• wrap the id with a json object

{"userid":123} ->401
{"userid":{"userid":123}} ->200

• Test an outdata API version

GET /v3/users_data/1234 ->401
GET /v1/users_data/1234 ->200

• If the website using graphql, try to find IDOR using graphql!

GET /graphql
[...]

GET /graphql.php?query=
[...]

• Unprotected admin panel [in source code or robots.txt]

• User role controlled by request parameter
• User role can be modified in user profile
• User ID controlled by request parameter
• User ID controlled by request parameter, with unpredictable user IDs
• User ID controlled by request parameter with data leakage in redirect
• User ID controlled by request parameter with password disclosure
• URL-based access control can be circumvented [X-Original-URL:] or other headers that backend handle it to give access
• Method-based access control can be circumvented [ Changing the method of the request ]
• Multi-step process with no access control on one step [ Do a need-privilege action with non-privilege user even if there is confirmation step ]
• Referer-based access control [ backend depends on referrer header to access the user to do sensitive actions ]
• improper Access generic

Authorization Bypass reports from HackerOne:

1. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 1812 upvotes, $0
2. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 872 upvotes, $0
3. Ability to reset password for account to Upserve - 602 upvotes, $0
4. Request smuggling on admin-official.line.me could lead to account takeover to LINE - 554 upvotes, $0
5. Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 540 upvotes, $0
6. Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 533 upvotes, $0
7. Able to Become Admin for Any LINE Official Account to LINE - 485 upvotes, $0
8. H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 362 upvotes, $13337
9. Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 337 upvotes, $0
10. [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 311 upvotes, $1000
11. Shopify admin authentication bypass using partners.shopify.com to Shopify - 290 upvotes, $20000
12. Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) to LocalTapiola - 261 upvotes, $18000
13. Team member with Program permission only can escalate to Admin permission to HackerOne - 257 upvotes, $2500
14. Linux privilege escalation via trusted $PATH in keybase-redirector to Keybase - 245 upvotes, $5000
15. Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain to GitLab - 237 upvotes, $0
16. Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - 230 upvotes, $15250
17. Privilege escalation from any user (including external) to gitlab admin when admin impersonates you to GitLab - 230 upvotes, $0
18. Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties to GitLab - 223 upvotes, $3000
19. Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 222 upvotes, $4000
20. [www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 213 upvotes, $750
21. Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - 212 upvotes, $10500
22. Ability To Delete User(s) Account Without User Interaction to GitLab - 211 upvotes, $0
23. Privilege escalation in workers container to Semmle - 202 upvotes, $1500
24. Incorrect authorization to the intelbot service leading to ticket information to TikTok - 201 upvotes, $15000
25. Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200
26. Ability to create own account UUID leads to stored XSS to Upserve - 198 upvotes, $1500
27. Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system. to Uber - 196 upvotes, $4500
28. HackerOne Jira integration plugin Leaked JWT to unauthorized jira users to HackerOne - 193 upvotes, $3000
29. Stealing Users OAuth authorization code via redirect_uri to pixiv - 183 upvotes, $2000
30. Unauthorized access to metadata of undisclosed reports that were retested to HackerOne - 180 upvotes, $0

    Top IDOR Reports

    1. IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 694 upvotes, $10500
    2. IDOR allow access to payments data of any user to Nord Security - 337 upvotes, $0
    3. Insecure Direct Object Reference (IDOR) - Delete Campaigns to HackerOne - 280 upvotes, $0
    4. idor allows you to delete photos and album from a gallery to Pornhub - 266 upvotes, $1500
    5. IDOR allows any user to edit others videos to Pornhub - 246 upvotes, $1500
    6. Singapore - Account Takeover via IDOR to Starbucks - 221 upvotes, $0
    7. IDOR delete any Tickets on ads.tiktok.com to TikTok - 193 upvotes, $0
    8. I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) to Yelp - 181 upvotes, $0
    9. IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 178 upvotes, $0
    10. An IDOR that can lead to enumeration of a user and disclosure of email and phone number within cashier to Unikrn - 167 upvotes, $3000
    11. IDOR allows an attacker to modify the links of any user to Reddit - 159 upvotes, $5000
    12. IDOR in the https://market.semrush.com/ to Semrush - 155 upvotes, $0
    13. IDOR leads to Edit Anyone's Blogs / Websites to Automattic - 144 upvotes, $0
    14. [api.pandao.ru] IDOR for order delivery address to Mail.ru - 120 upvotes, $3000
    15. IDOR vulnerability (Price manipulation) to Acronis - 119 upvotes, $0
    16. Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability to Reddit - 115 upvotes, $5000
    17. IDOR and statistics leakage in Orders to X (Formerly Twitter) - 110 upvotes, $289
    18. IDOR in https://3d.cs.money/ to CS Money - 110 upvotes, $0
    19. IDOR leading to downloading of any attachment to BCM Messenger - 105 upvotes, $0
    20. IDOR leads to leak analytics of any restaurant to Uber - 103 upvotes, $2000