Tips and tricks for IDOR hunting. by @InonShkedy 👇

•

1. Object IDs in URLs tend to be less vulnerable. Try to put more effort on IDs in HTTP headers / bodies. (my emphasis) Also, look for other non-ID parameters used as identifiers.

2. GUID instead of numeric values? Don’t give up! Use the “session label swapping” technique or find endpoints that return IDs of objects that belong to other users. (my emphasis) Basically, test using multiple accounts.

3. Always try numeric IDs. If an endpoint receives a non-numeric object ID, like a GUID or an email address, try replacing the GUID/email with a number. (my emphasis) Also, try replacing it with "*".

4. Received 403/401 once? Don’t give up! It’s not extremely common, but some weird authorization mechanisms only work partially. Try many different IDs. For example: if the endpoint “api/v1/trips/666” returned 403, run a script to enumerate 50 random IDs from 0001 to 9999.

5. Find the most niche features in the application. (my emphasis) And that's usually miles away from the main functionalities of the app. With these features, developers might not have thought through authorization properly.

6. I modified the original text of @InonShkedy a bit to fit into Twitter's reqs. Read it entirely below. Any other API tips that you know of? Comment 👇 #pentesting #appsec #infosec #cybersecurity #hacking #bugbountytips #bugbounty #ethicalhacking inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2