IDOR

Identifying IDORs

  • URL Parameters and APIs

  • AJAX Calls

  • Understanding Hashing/Encoding

  • Compare User Roles (multiple accounts)

Bypassing Encoded Reference

  • Burp Comparer

  • Function Disclosure (Angular, React, Vue, etc)

Chaining IDOR Vulnerabilities (sample)

  1. POST /profile/2 requires valid uuid

  2. GET /profile/2 discloses user2's uuid

  3. POST /profile/2 with the UUID from step 2

Prevention

  • Object-Level Access Control (RBAC or Role-Based Access Control)

  • Object Referencing (UUIDv4)

PreviousHTTP Verb TamperingNextXXE

Last updated