Ctrlk

Enumeration
Content Discovery
API hacking
CORS Misconfiguration
XSS
SSRF
Account take over
IDOR
Access control vulnerabilities and privilege escalation
HTTP Request Smuggling / HTTP Desync Attack
Subdomain Takeovers
Resources
403 Bypass
Log4J
Bypassing Client-Side Controls
BACKUP FILES /Backup Archives:
Attacking Authentication
DNS enumeration/DNS recon-reading
Subdomain Enumeration-reading
Subdomain Takeover
File upload vulnerabilities
CRLF

Powered by GitBook

On this page

IDOR

Create two accounts, swap API parameters, and try to access information from each other.
Sending a GET request does not imply the ability to perform POST or update actions; hence, it's essential to experiment with various request types on the same API.
Param pollution
https://jasper-join-7e5.notion.site/IDOR-Cheat-Sheet-9f7c9e3285bf4c7cae5ea38243cd0391

PreviousAccount take over NextAccess control vulnerabilities and privilege escalation

Last updated 1 year ago