Some ways to find more IDOR

  1. No ID, No Worry

Key Takeaways

Try to understand applications ( how could this API/request authorize users, why there is no parameter, etc.), analyze carefully requests/responses. You could find more IDORs.

Key Takeaways

(Old but gold): Don’t just replace IDs and wait for luck. Try to fuzz all possible character ( my list is %00 -> %ff) to break the logic of the regex or pattern that server used to restrict access. The more you fuzz, the more you luck.

Key Takeaways

Don’t ignore anything. 😜

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Thái Vũ

Thái Vũ

A noob hacker hack to learn to protect noob apps from another noob hackers!