web2-vuln-classeslisted

# WEB2 BUG CLASSES — 18 Classes Root cause, pattern, bypass table, chaining opportunity, real paid examples. --- ## 1. IDOR — INSECURE DIRECT OBJECT REFERENCE > #1 most paid web2 class — 30% of all submissions that get paid. ### Root Cause ```python # VULNERABLE — no ownership check @app.route('/api/orders/<order_id>') def get_order(order_id): order = db.query("SELECT * FROM orders WHERE id = ?", order_id) return jsonify(order) # Never checks if order belongs to current user! # SECURE @app.route('/api/orders/<order_id>') def get_order(order_id): order = db.query("SELECT * FROM orders WHERE id = ? AND user_id = ?", order_id, current_user.id) ``` ### Variants - **V1:** Numeric ID swap — `/api/user/123/profile` → change to 124 - **V2:** UUID swap — enumerate UUID via email invite or other endpoint - **V3:** Indirect IDOR — `POST /api/export?report_id=456` exports another user's report - **V4:** Parameter add — `?user_id=other` makes backend use it - **V5:** HTTP method swap — PUT protected, DELETE not - **V6:** Old API version — `/v1/users/123` lacks auth that `/v2/` has - **V7:** GraphQL node — `{ node(id: "base64(User:456)") { email } }` - **V8:** WebSocket — WS sends `{"action":"get_history","userId":"client-generated-UUID"}` ### Testing Checklist ``` [ ] Two accounts (A=attacker, B=victim) [ ] Log in as A, perform all actions, note all IDs [ ] Replay A's requests with A's token but B's IDs [ ] Test EVERY HTTP method (GET, PUT, DELETE,