Test cases for IDOR’s

Hey Everyone I hope you all are doing good during this quarantine period. So after learning about CSRF and finding a couple of them :) I want to move to the next bug class which is IDOR. So I started reading writeups and after reading many writeups. I started exploiting them and one thing I realized was after reading lots of blogs sometimes I forget how a researcher exploited that Functionality. So I started making Test Cases For every writeup. And this helped me to understand the application functionality more deeply and also easy to remember them. And if you are in the bug bounty field then trying to understand other people’s approaches helps a lot.

So what I’m going to do is I will share some test cases which I wrote personally from other people writeups.

So here are some cases which helped me to find some bugs :)

Case 1) Posting Comments of a User from one Video to Another.

1) So there is a functionality on the website which is used to review the comments of the user. For example. You uploaded a video on the website and now it has the Functionality to review the comments of the users before they get posted in the comment section of your video.

2) Now when you visit the review option you will see the comment of the user. Now click on approve and intercept that request in the end you will see there are two parameter comment_id and video_id.

3) Now when you will change the video_id it will show the error but if you will change the comment_id to other value then it will post the comment of another user.

# How will I get the comment of the other user?

Just go to the other video and click on any comment and intercept that request you will see the comment id :)

Takeaway -> Sometimes if you don’t know the id or any value of other users try to access their public profile or any functionality where you can see the other user’s info you might see some values which will come in handy.

Full Write ->

https://secgeek.net/youtube-vulnerability/

Case 2) Deleting Comment of the Other Users on a Post.

1) A website has a functionality to delete your comment which you posted on a post.

2) Click on delete and intercept that request in Burp Suite you will see a parameter comment_id try to change that comment value of another user. You will see that the comment is posted on behalf of other users.

Takeaway -> Try to discover all the functionality and test all of them. Whenever you see functionality like uploading a post or deleting it there are multiple functionalities you can test for example ->

a) Can you post or delete that post on behalf of other users?

b) Can you edit that post on behalf of other users?

c) Can you comment or delete that comment on behalf of other users?

d) Can you like or dislike that post of another user? The impact goes bigger if you can get a like of a Celebrity :).

Similar Writeup -> https://secgeek.net/yahoo-comments-vulnerability/

Case 3) Unsubscribe the newsletter on behalf of other users.

1) Whenever you signup for a company and link your email account with it. You will notice that email was sent to you about their product services and at the end of the mail, you will see an unsubscribe option

2) Click on that and intercept that request you will see a parameter if it is your email id change it with another user. Sometimes email id is base 64 encoded. Take Victim Email-id and covert it into base 64.

Takeaway -> Not many bug hunter tests for the functionality outside of the application. Like newsletter and Forgot Password Mail.

Case 4) Downloading the files of other users through the chatbox.

1) A Functionality on the website allows you to send messages and share files.

2) So when you share a file with other users intercept that request into the burp suite and you will notice that the file you shared has a parameter file_id.

3) Change that id number to another and you will see that you can share other user’s files. This will lead to a sensitive file disclosure of other users.

Takeaway -> If you are sharing files with a user on the website try to intercept that request and see whether you can share the file of an anonymous user.

I am not a Pro level Bug Bounty Hunter and I m still learning and I always will be. And if you are at the beginner level and you are unable to understand the above cases it’s completely fine.

You didn’t learn 100% but at least you have learned 1% and that’s progress cause next time you will learn 2% and that’s how you gain experience :)

Thanks For Reading you can contact me on twitter.