gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-29 22:20:26 -08:00
Code Issues Packages Projects Releases Wiki Activity

Normalize page header for GraphQL, Deserialization, SCM

Browse Source
This commit is contained in:
Swissky
2024-11-10 14:37:48 +01:00
parent 2deb20a6f1
commit 2304101657
21 changed files with 262 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Insecure Direct Object References/README.md
View File

@@ -1,19 +1,19 @@
# Insecure Direct Object References
> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP
> Insecure Direct Object References (IDOR) is a security vulnerability that occurs when an application allows users to directly access or modify objects (such as files, database records, or URLs) based on user-supplied input, without sufficient access controls. This means that if a user changes a parameter value (like an ID) in a URL or API request, they might be able to access or manipulate data that they arent authorized to see or modify.
## Summary
* [Tools](#tools)
* [Labs](#labs)
* [Exploit](#exploit)
* [Methodology](#methodology)
* [Numeric Value Parameter](#numeric-value-parameter)
* [Common Identifiers Parameter](#common-identifiers-parameter)
* [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator)
* [Hashed Parameter](#hashed-parameter)
* [Wildcard Parameter](#wildcard-parameter)
* [IDOR Tips](#idor-tips)
* [Labs](#labs)
* [References](#references)
@@ -24,12 +24,7 @@
- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
## Labs
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
## Exploit
## Methodology
IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
@@ -130,6 +125,11 @@ Send a wildcard (`*`, `%`, `.`, `_`) instead of an ID, some backend might respon
* Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
## Labs
- [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
## References
- [From Christmas present in the blockchain to massive bug bounty - Jesse Lakerveld - March 21, 2018](http://web.archive.org/web/20180401130129/https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)