API12019: Testing for IDOR/Broken object level authorization:
Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you. Dive deep into applications, find hidden functionality and features, and know how your application works most of all to succeed in finding IDOR's.
Finding IDOR Attack Vectors Ideas:
- What do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by replacing high privaledge authorization with lower privaledge authorization and seeing what the server responds with
- Understand how they use ID's, hashes, and their API. Do this by looking at the API Documentations if they have one.
Recon for IDOR's:
- Try to search engine scrape for UUIDs, ex: google dork for IDOR URL parameters
- Use burp extension autorize + autorepeater
- Using tools like WaybackURLS or gau, and grep for UUID's, ids and common IDOR URL parameters
- Scraping JS files for API endpoints with UUID's, common IDOR parameters
Note: Recon for IDORs is very hard, many of them are found manually using logic and they depend on each application highly. To add onto this, IDOR's are commonly found on API endpoints with JSON parameters, not URL. However, IDOR recon is still good to possibly find some low-hanging fruit.
Every time you see a new API endpoint that receives an object ID from the client, ask yourself the following questions:
- Does the ID belong to a private resource? (e.g /api/user/123/news vs /api/user/123/transaction)
- What are the IDs that belong to me?
- What are the different possible roles in the API?(For example — user, driver, supervisor, manager)
Bypassing Object Level Authorization: