Loading...
This site is best viewed in a modern browser with JavaScript enabled.
Something went wrong while trying to load the full version of this site. Try hard-refreshing this page to fix the error.
A short checklist for BAC and IDOR | What to test for
thexssrat
A general way of working
You need to create 2 accounts
See if you can see data from account 1 that you should not see (SHOULD CONTAIN ID)
Use authorize in burp suite or access control in ZAP
If you can make multiple companies, do so and test IDOR between those companies employees
BAC
Test if you can execute functions of higher priv level (unauthenticated and normal user > admin)
Test higher Priv functions should not be able to be executed by lower Priv user
Test ALL user levels
Test with authorise
JS Functions via developer console
Copy and paste of URL
Test using authorise
IDOR
Test between ALL tenants (companies hosted on one server/database. Can also be divisions of companies)
Test with authorise
JS Functions via developer console
Copy and paste of URL
Test using authorise
Check these parameters
Inside files for uploading
Inside URL fragment
Inside URL parameter
Inside POST parameter
JWT
Cookies