Semi-Automating IDORs: A Practical Approach to Working Smarter, Not Harder

Muhammed K. Sayed
5 min readNov 22, 2023

--

Assalamu alaikum wa rahmatullahi wa barakatuh Folks,

imma talk today about how do I try to automate IDORs sometimes to save some time and earn more money

Lets get to the action part

https://giphy.com/gifs/looneytunesworldofmayhem-world-of-mayhem-looney-tunes-ltwom-RbDKaczqWovIugyJmW

First, you cant do this process without having an idea about how your target is creating the IDs for the parameters for users,videos,blogs, everything, How it process these IDs, like is it sending it in a cookie value? a POST parameter? GET parameter? JWT token in authorization header? an ascii hex? maybe encrypted userID ? a GUID v1 or v4?

Second, identify the endpoints that take/accept the ID we were able to identify, so for example lets assume that there’s a parameter called userID we’re trying to hack :p, we need all endpoints that have used it from our burp project, we will use regexes :D, so if our target is using our parameter in json object in POST request, we will use this regex for example

HTTP/2\r\n.*"userID":

this regex will look for all POST requests with parameter userID in it

and for sure you might want to look for endpoint in the javascript, by identifying how the developer is calling the userID in his code, he maybe using user_id , how would you know? search for an endpoint you know for sure its using the userID parameter in the javascript file and see the code that is responsible for setting the request data, then search for the parameter “the developer is calling” in all javascript files and collect the endpoints that use it, and if the userID parameter is a urlencoded parameter in GET request you should look for it in wayback machine too, and google dorks ‘consider it as a home work’

now its time for using our most valuable tool OUR BRAIN

Third, we have to collect all required parameter used in our requests to prevent some errors to happen, and false positives

from our burp search results press

ctrl/command + A -> right click -> uncheck save as base64 encoded -> save

saving requests

make a regex to grab the required parameters too “consider it as a home work” so if its in a regex request body, make a regex that matches "string":anything till comma or } , if your dealing with regexes regularly it would be fun for you, if you’re not just practice more, or get some help from GPT, i use it alot

you should be having something like this for example

"param1":"value"
"param2":"value"
"param3":"value"
"param1":"value"

you would definitely want to remove duplicates, using sublime i do this

deduplicating

now, its a pure scripting phase using python, you can use your favorite scripting language

after having all requests/endpoints that have our parameter userID we should be having a list like

/endpoint/users
/endpoint/users/bookings
/endpoint/users/reminders
/endpoint/users/passwords

so we need to turn them into a python list, open your fav code editor, i’ll be using sublime text

replace regex ^ with "and $ with ", as in here

turning endpoint to python list for looping in them

now, you’ll only have to add the brackets to make it a list [before first endpoint and ] after last endpoint

so it should be like

[
"/endpoint/users",
"/endpoint/users/bookings",
"/endpoint/users/reminders",
"/endpoint/users/passwords"
]

now we need the cookies and headers to used them in our script, i use this burp extension copy as python-requests

import requests

burp0_url = "<url>"
burp0_cookies = {"_csrfSecret": "7SzZ2udqHWCNBTlsQKoFyNsU", other cookies}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/json", "X-Csrf-Token": "AAhWIM7F3eoSJIhgCTV4xthJk1ar12ovTBeArj4F", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Te": "trailers"}
burp0_json={"userID": "1698912852405"}

requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)

please note that

you can use this method to

  1. select all request and copy them all, and match parameters instead of saving the requests to file

2. select all urls from it instead of burp but you will need to remove burp\n_ from the variable name, so you are able to match them all using url = .*, and you’ll have to add comma at the end of the lines to have a list, you get what i wanna tell you right? regexes is your friend in automation :D

for our flow, we’ll just need the cookies and headers, because we matched the endpoints before, now we just need a lil if condition to know the success result

after understanding how your target is responding to all types of requests you should be able to identify unauthorized request, unauthenticated requrst,and errors requests, every web application is responding differently depends on its configuration, i mean you may get 200 OK status code but in its response its telling you you're unauthorized to do this action , so make the if statement suits your target, for example i may make it like

if 'unauthorized` not in r.text:
print(f"{URL}" passed!")

now its time to combine things together :D

  1. import requests lib
  2. add the list of urls we’ve collected in a variable urls
  3. loop in the URLs list so in every loop it sends a request to a URL with data, headers, and cookies DONT FORGET TO REPLACE THE userID parameter with the victim’s one “your second account for testing”
  4. the if statement inside the loop to check if the request has been sent successfully
import requests

urls = [
"/endpoint/users",
"/endpoint/users/bookings",
"/endpoint/users/reminders",
"/endpoint/users/passwords"
]

cookies = {
"_csrfSecret": "7SzZ2udqHWCNBTlsQKoFyNsU",
other cookies
}
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/json",
"X-Csrf-Token": "AAhWIM7F3eoSJIhgCTV4xthJk1ar12ovTBeArj4F",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin",
"Te": "trailers"
}
datajson = {
"userID": victimUserID,
"param1":"value1",
"param2":"value2",
"param3":"value3"
}

for url in urls:
# sending post request
response = requests.post(url, headers=headers, cookies=cookies, json=datajson)
# handling response
if 'unauthorized' not in response.text:
print(f"{url} VULNERABLE TO IDOR, can you confirm it?")

Some notes

  1. you will need to improvise sometimes to collect the parameters and play around with regexes to match what you want
  2. you should have used a burp project from day 0 of hacking your target because it stored every request you sent, so it will have alot of endpoints there to grab the parameters from it

feel free to ask/contact me if you want ;)

my twitter account https://x.com/mux0x

--

--