@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.

@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.



Tutorials Blog Posts Tools Contact Information



Insecure Object Reference (IDOR) - Where are they?!

IDOR's are relatively simple to find if you know where to look. An IDOR is simply http://api.example.com/getuser?id=139349 - in which you supply the endpoint with a userid/guid, or some sort of identification.

In the last 3months using nothing but IDOR I have reported 7 idors resulting in ~250,000,000 details being leaked, and this post is designed to outline the process I use.


So firstly, the most common places to look for IDOR are:
Cool, i've found an IDOR.. now what?
So, every case of IDOR is different so it'll be hard to create a blueprint of "do this, do that!", so i'll go through my experience and some hurdles i've had to jump to accomplish what I want.

Common bypasses?

I can't really think of many common things to suggest when it comes to "bypassing" an IDOR "filter", since IDOR's are simply chucking anothers user_id and hoping the server responds with something related to another user. All I can suggest is also testing these endpoints for SQL injection aswell!