Insecure Direct Object References (IDOR)

idor introwebapplicationsecurity owasptop10 adventofcyber4 neighbour corridor cap api_broken_access web_attacks

An IDOR vulnerability is when a user can change a value, such as a number in a URL, and access someone else file/page/content.

  • a form with predictable values: ?id=10 β†’ ?id=11
  • a folder with predictable filenames: /user1.png β†’ /user2.png
  • a cookie

The best way to test for IDOR is to create two accounts, and see if from one, you can access the content of the other. If you can't, try to find the difference between them in the requests.

What's next? πŸ”₯

  • You can use Fuzzing to try to discover more content

  • It may be possible to reset someone's else password

  • It may be possible to modify someone's else account information such as a profile item to perform a XSS attack