Skip to content

Similar to Broken Object Level Access (BOLA) but less API focused, for example, iterating a pageID or page directory to view information of other users.

ffuf

  • if you have UIDs (can be anything) -mr = regex match 
    ffuf -u <http://example.com/info.php?account=FUZZ> -w <UIDLIST> -mr 'admin'

API

Post data 

curl -X POST -k <ENDPOINT> -d '{key:"value"}'
proxy through burp 
curl -X POST -k --proxy http://localhost:8080 <ENDPOINT> -d '{key:"value"}'