Insecure Direct Object Reference (IDOR)

Change HTTP method

GET /users/delete/123 -> 403
POST /users/delete/123 -> 200

Change file extension

Try to change the extension of the endpoint that you have.

#Endpoint found
/users/password -> 401

#Endpoints to test

Convert request body

Convert the body of the request to array or to include a json on it.

#Original body


Test wildcards

Change the identifier of the request to a wildcard.

#Original request

#Wildcard bypasses

Check another version

Many API endpoints expose the version in the request, try to change it to use another older.

#Original request

#Changed version of the same endpoint

Missing Function Level Access Control (MFLAC)

GET /admin/profile -> 401
GET /ADMIN/profile -> 200

Path Traversal Secondary Context

#Original request
POST /users/delete/123 -> 403

POST /users/delete/MY_ID/../123 -> 200

HTTP Parameter Pollution

GET /api/v1/messages?user_id=ATACKER_ID&user_id=VICTIM_ID
GET /api/v1/messages?user_id=VICTIM_ID&user_id=ATACKER_ID


Last updated