Testing for IDOR/Broken object level authorization:
Difficulty: Easy
Tips: Don't blindly test for changing numbers till you get PII, tools can do this for you
Finding IDOR Attack Vectors Ideas:
1.
What do they use for authorization?(JWT, API Keys, cookies, tokens) Tip: Find this out by replacing high privaledge authorization with lower privaledge authorization and seeing what the server responds with
2.
Understand how they use ID's, hashes, and their API. Do this by looking at the API Documentations if they have one.
Every time you see a new API endpoint that receives an object ID from the client, ask yourself the following questions:
Does the ID belong to a private resource? (e.g /api/user/123/news vs /api/user/123/transaction)
What are the IDs that belong to me?
What are the different possible roles in the API?(For example β user, driver, supervisor, manager)
Bypassing Object Level Authorization:
Add parameters onto the endpoints for example, if there was
GET /api_v1/messages --> 401
vs
GET /api_v1/messages?user_id=victim_uuid --> 200
HTTP Parameter pollution
GET /api_v1/messages?user_id=VICTIM_ID --> 401 Unauthorized
GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID --> 200 OK
β
GET /api_v1/messages?user_id=YOUR_USER_ID[]&user_id=ANOTHER_USERS_ID[]
Add .json to the endpoint, if it is built in Ruby!