How to Approach IDOR hunting?

•

How to Approach IDOR hunting? via @InonShkedy 👇

1. Understand the business logic of the application Don’t be on auto pilot and don’t change random IDs in API calls until you see PII in the response. There are automatic tools that can do this for you. Think.

2. When you see an endpoint that receives an object ID from the client, ask yourself: 2.1. Does the ID belong to a private resource? - i.e. “/api/news/articles/555” => all articles should be public. No IDOR here! 2.2. What are the IDs that belong to me?

3. Understand relationships between resources For example, understand that there’s a relationship between “trips” and “receipts” and that each trip belongs to a specific user.

4. Understand the roles and groups in the API Try to understand what the different possible roles in the API are. For example: user, driver, supervisor, manager.

5. Leverage the predictable nature of REST APIs to find more endpoints For example: GET /api/chats/<chat_id>/message/<message_id> Try POST instead of GET. If error: * Add a “Content-length” HTTP header * Change the “Content-type” * be creative, try other methods

6. I modified the original text of @InonShkedy a bit to fit into Twitter's reqs. Read it entirely below. Any other API tips that you know of? Comment👇 #pentesting #appsec #infosec #cybersecurity #hacking #bugbountytips #bugbounty #ethicalhacking inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2