# IDOR {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} **Insecure Direct Object References (IDOR)** vulnerabilities are among the most critical security risks in modern applications. Exploiting an IDOR allows attackers to access or modify unauthorized data, often leading to severe security breaches. Finding IDORs requires a combination of manual testing, automation, and an understanding of common patterns in application logic. In this guide, we will dive deep into **advanced techniques to uncover more IDOR vulnerabilities** in web applications. #### Understanding IDOR Vulnerabilities **IDOR occurs when an application fails to enforce proper authorization mechanisms for accessing objects, such as user profiles, invoices, or database entries.** Attackers can manipulate object identifiers in API requests, URLs, or form fields to gain unauthorized access to data belonging to other users. For example, if a user profile is accessed via: ``` GET /user/profile?id=1234 ``` An attacker might change the `id` parameter to another value (`id=5678`) and view someone else's profile if no proper authorization check is in place. *** ## Tips that I use to find more IDORs: ### **Prime Parameters to Probe** While hunting for **Insecure Direct Object References (IDORs)**, certain parameters frequently emerge as high-value targets. Keep an astute eye on these variables: ``` id= uid= gid= user= account= number= order= no= doc= file= key= email= group= profile= edit= report= ``` ### **UUID Exploitation Techniques** Universally Unique Identifiers (**UUIDs**) are often perceived as impervious due to their non-predictability. However, misconfigurations can render them vulnerable. Here’s how to scrutinize them effectively: 1. **Leak Hunting:** UUIDs may inadvertently surface in logs, error messages, or embedded within page sources. 2. **Predictability Assessment:** Developers may inadvertently employ pseudo-random UUID generation, reducing entropy. Verify their randomness. 3. **Simplification Attack:** Swap a UUID with rudimentary numeric patterns or a default placeholder like `00000000-0000-0000-0000-000000000000`. Oversights in access control may lead to unauthorized access. 4. **Historical Data Mining:** Utilize archival repositories such as the **Wayback Machine** or **Common Crawl** to uncover past UUID exposures. ### **Parameter Pollution Tactics** Consider an API endpoint structured as follows: ``` /api/messages?user_id= ``` If an initial **IDOR** attempt on `user_id` proves unfruitful, employ parameter duplication: ``` /api/messages?user_id=&user_id= ``` Additionally, when the application handles arrays, exploit list-based submissions: ``` /api/messages?user_ids[]=&user_ids[]= ``` ### **Testing with Alternative HTTP Methods** Evaluate the **entire spectrum** of HTTP request methods. Some applications enforce authorization only on specific methods while neglecting others: ``` GET POST PUT PATCH DELETE ``` ### **Hashing and Encoding Reversals** Examine encoded URL parameters: ``` ?filename=ZmlsZV8xMjMucGRm ``` Decipher the encoded string (often Base64) and manipulate it: ``` Original -> ZmlsZV8xMjMucGRm Base64 Decode -> file_123.pdf Alter -> file_999.pdf Re-encode -> ZmlsZV8xOTkucGRm ``` Some applications may employ alternative hashing or encoding mechanisms. Leverage tools such as **CyberChef** or **hashes.com** to decode and manipulate values. ### **Fuzzing to Uncover Hidden Entry Points** A well-orchestrated fuzzing campaign can unearth **neglected or misconfigured API endpoints**. For instance, consider: ``` /api/v1/messages/view ``` Two potential fuzzing points emerge: ``` /api/$FUZZ1$/messages/view$FUZZ2$ ``` ### **Crafting IDs Where None Exist** Endpoints may function **without overt ID parameters**. In such cases: 1. **Append plausible identifiers** manually to test for backend assumptions. 2. **Replace generic placeholders** (e.g., `self` or `user`) with explicit user IDs to assess unauthorized access possibilities. ## IDOR and XSS Chaining for Maximum Impact When **IDOR** vulnerabilities coexist with **self-XSS**, they can be weaponized into **stored XSS** that targets unsuspecting users. Consider an API that permits folder creation: ``` /api/createFolder?user_id=123&folder_name= ``` If `folder_name` allows script execution and `user_id` is vulnerable to **IDOR**, an adversary can implant **malicious JavaScript** into another user’s workspace, leading to an escalated impact. *** ## Best Techniques to Find More IDORs ### 1. Targeting API Endpoints and Web Requests APIs often expose IDOR vulnerabilities due to poor access control. Follow these steps: * Use **Burp Suite, ZAP, or Postman** to intercept API requests. * Modify the object identifiers (`user_id`, `invoice_id`, `account_id`) and check if unauthorized data is accessible. * **Test different HTTP methods (GET, POST, PUT, DELETE)** to assess IDOR impact beyond just reading data. ### 2. Automating IDOR Discovery with Burp Suite and Custom Scripts * **Burp Suite Extensions**: Tools like [**Autorize**](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) and [**Auth Analyzer**](https://portswigger.net/bappstore/7db49799266c4f85866f54d9eab82c89) help automate the detection of IDOR vulnerabilities by replaying requests with unauthorized accounts. * **Custom Python Scripts**: Use `requests` in Python to automate IDOR fuzzing by cycling through object IDs. Example Python script for IDOR fuzzing: ``` import requests url = "https://target.com/api/user/profile?id=" for i in range(1000, 1100): response = requests.get(url + str(i), cookies={'session': 'valid_session_cookie'}) if "unauthorized" not in response.text: print(f"Potential IDOR found: {url}{i}") ``` ### 3. Identifying Numeric and UUID-Based IDORs * Applications use different identifier formats: * **Sequential numeric IDs (1234, 1235, 1236, etc.)** are easy to exploit. * **UUIDs (e.g., 550e8400-e29b-41d4-a716–446655440000)** require guesswork but may still be vulnerable. * Look for patterns in API responses, JavaScript files, and database structures. ### 4. Reviewing Client-Side JavaScript for Clues * JavaScript often contains hardcoded API endpoints and object IDs. * Use **DevTools > Sources** or fetch JavaScript files with: ``` wget -r --no-parent -A .js https://target.com ``` * Search for API calls that include user IDs or resource IDs. ### 5. Exploring Multi-Tenant and Role-Based Access Scenarios * Test **regular user accounts vs. admin accounts**. * If an application has **multi-tenant architecture**, check if data from one tenant is accessible to another. * Use **low-privilege accounts** to test access to privileged endpoints. ### 6. HTTP Parameter Pollution and Hidden Parameters * Some applications use multiple parameters for object identification. ``` GET /profile?id=1234&id=5678 ``` * If the backend processes only the second `id`, an attacker can manipulate it. * Try adding additional parameters to override security checks. ### 7. Bypassing Access Controls via Method Manipulation * Some APIs enforce security only on `GET` requests but not `POST` or `PUT`. * Change request methods in **Burp Repeater** to check if unauthorized data modifications are possible. ### 8. Testing for IDOR in File and Document Access * Some applications store files with predictable names: [`https://target.com/uploads/invoices/1234.pdf`](https://target.com/uploads/invoices/1234.pdf) * Try accessing sequential files: [`https://target.com/uploads/invoices/1235.pdf`](https://target.com/uploads/invoices/1235.pdf) * Check if API file downloads require authentication. ### 9. Manipulating GraphQL Queries for IDOR Testing * GraphQL APIs often expose IDOR due to **overly permissive query structures**. * Test queries with: ``` { "query": "{ user(id: 5678) { email, role } }" } ``` * See if the API returns unauthorized user data. ### 10. Hunting IDOR in Mobile Applications * Decompile APKs using `jadx-gui` to analyze API endpoints. * Use **MITM proxies** like Burp Suite to intercept API calls. * Modify request payloads and identifiers to check for unauthorized access. *** {% hint style="success" %} Learn & practice [**For the OSCP.**](https://shop.verylazytech.com)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/pentesting-web/idor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.