IDOR (Insecure Direct Object Reference)

Overview

IDOR is an access control vulnerability where the application trusts user-controlled identifiers (IDs) to fetch objects (profiles, invoices, tickets) without verifying ownership or authorization on the server side.

1) What IDOR looks like

Common patterns:

• Query params: /profile?user_id=1305
• Path params: /api/v1/customer/1305
• JSON body / AJAX calls: {"id":1305}

2) Simple ID swap test

The fastest detection method: change the identifier and observe if the response changes to another user/object.

3) Encoded IDs (base64)

Some apps encode IDs (commonly base64). Decode → modify → re-encode → resend.

• Decode: base64decode.org
• Encode: base64encode.org

4) Hashed IDs (predictable patterns)

Hashed identifiers may be predictable (e.g., md5 of an integer). Always try common cracking databases first.

• Lookup/crack: crackstation.net

5) Unpredictable IDs (two-account technique)

If IDs are random/UUID-like, create 2 accounts and swap IDs between requests.

• If account A can access account B’s object by swapping the ID → IDOR confirmed.

6) Where to look (not just the URL bar)

• AJAX / API calls in the Network tab (often /api/...)
• JavaScript files referencing endpoints
• Hidden/unreferenced parameters (parameter mining)

Exam Notes (PT1)

• Always test object-level authorization: change IDs, compare responses.
• Look for information disclosure (emails, addresses, tickets, invoices) and action IDOR (changing/closing tickets, modifying profiles).
• Use DevTools Network tab to find the real API call powering the page.
• When IDs are encoded: decode/edit/re-encode; when hashed: try crack databases or predictable patterns.