Insecure Direct Object References (IDOR)
An IDOR vulnerability is when a user can change a value, such as a number in a URL, and access someone else file/page/content.
- a form with predictable values:
?id=10
?id=11
- a folder with predictable filenames:
/user1.png
/user2.png
- a cookie
The best way to test for IDOR is to create two accounts, and see if from one, you can access the content of the other. If you can't, try to find the difference between them in the requests.