IDOR Tutorial: Hacking Information from Web Applications
The topic that I will discuss today is one of the Owaps top 10. Today’s Topic IDOR (Insecure Direct Object Reference)
Many people may not know about it so let’s find out first.
What is IDOR: With this goodness, user information of any website can be seen mainly without permission. For example, I can get information like the mobile number, email, address of any website user. You can also take over another user’s account.
What is possible with IDOR?
1. Get information from the website.
2. Changing the user’s password or email.
3. Changing user information.
4. Accessing user account.
This bug has also been found on Facebook, Twitter, and other national websites so you can try.
What’s the point ?:
I got this question in the last few posts. If Facebook can’t be hacked then there is no point in posting like this.
These are the hacking tutorials that I have posted. I don’t post spamming.
My tutorial can also be black hat hacking and white hat. IDOR is a familiar name in Bug Bounty and it’s easy for Bug Bounty beginners. You can get a maximum of 5,000 or more bounties from a minimum of 50.
Whatever is needed
2. Internet connection
3. Burp Suite
Now let’s start step by step
1. Enter your target website.
2. Login to the website and login to your account. (Required to get the parameters)
3. Now our IDOR. So first configure Burp Suite and browser. To find IDOR you need to check the response of all tabs or sectors or API with Burp suite. You need to find the idor parameter. There are many types of parameters, such as userid,
user / 112342,
login / 113354,
account / edit / 374838
4. I have found the idor parameter in the bank details option on this website. I got the user id parameter. Bank Details> Add Bank Details> Now open the burp suite and turn on intercet> then select any one of the OTP / Password Burp Suite will capture the auto-response. This way you will find the parameter on this website.
Note here all the userid parameters but idor will not work. These are the only possible parameters that can be numbered. Here my number is maintaining a stream or serial.
But the number is 37292993818379292,
IDOR is not possible if such a big idea is not possible or every time a random number is generated.
Select the parameter and right-click the mouse and click Do intercept> Response to this request. Then click on forward. Now you will see the new response.
6. Now we will see the information of our account. Email and mobile number. So this website is venerable. Now it’s time to exploit. Now start again from the first step. Bring your user ID to Burp’s response.
7. Now we will not forward this response. Right-click the mouse anywhere. Then click on the Send to repeater option. turn off intetcept
8. Now enter the repeater tab of Burp.
Here you will see the previous response. Find our user ID below.
Now we will see the response by changing this ID number. I will change the last 2 digits of the ID number. I will use 06,05,04,03 by changing the last 2 digits of my ID.
9. Now after changing the ID, I will click on the send button above.
10. Now you can see the information of the changed ID. You can see the information of his account with the other user’s ID.
This is the basic concept. If you get the parameter in response to the password change and can be exploited, you can take over the account.