Fallen Apple 🍎

IDOR hunting workflow I keep coming back to: 1) Map object IDs (UUIDs, ints, slugs) across endpoints (REST + GraphQL). 2) Change one dimension at a time: user_id, org_id, project_id. 3) Watch for soft failures: 200 with partial data, empty arrays, unexpected responses. 4) Test non-GETs too: PATCH/DELETE often skip the same checks. 5) Test for different paths/platforms: UI vs API vs mobile vs webapp. Most IDORs aren’t fancy, they’re just inconsistent, and it only takes one.

Weird graphQL IDOR / access control bypass: In this one, graphQL would check the "tin" (tax identification number), if supplied, against the Bearer token. If the Bearer did not have access to the tin, you would get access denied. Normal stuff there. So my thought was, how could I make the server still lookup the tin value without the access check? It regularly expected: \"tin\" This causes the server, since "tin" is present, to check access control prior to returning data. What worked was: \"tin\\\"\" So adding \\\" after tin bypassed the access control logic (for some reason), meanwhile the graphQl query still ran and sent back the PII for any TIN I sent it. #bugbounty is just strange sometimes. Some of the battle is finding neat endpoints and places, and some of it is endless tinkering.