Tips and tricks for IDOR hunting. by @InonShkedy ๐
1. Object IDs in URLs tend to be less vulnerable. Try to put more effort on IDs in HTTP headers / bodies.
(my emphasis) Also, look for other non-ID parameters used as identifiers.
2. GUID instead of numeric values? Donโt give up!
Use the โsession label swappingโ technique or find endpoints that return IDs of objects that belong to other users.
(my emphasis) Basically, test using multiple accounts.
3. Always try numeric IDs.
If an endpoint receives a non-numeric object ID, like a GUID or an email address, try replacing the GUID/email with a number.
(my emphasis) Also, try replacing it with "*".
4. Received 403/401 once? Donโt give up!
Itโs not extremely common, but some weird authorization mechanisms only work partially.
Try many different IDs. For example: if the endpoint โapi/v1/trips/666โ returned 403, run a script to enumerate 50 random IDs from 0001 to 9999.
5. Find the most niche features in the application.
(my emphasis) And that's usually miles away from the main functionalities of the app.
With these features, developers might not have thought through authorization properly.