IDOR - Insecure Direct Object Reference

It is a type of access control vulnerability

User supplied input to retrieve objects. Too much trust on the input data and not validating if the server side is requesting the object.

<http://online-service.thm/profile?user_id=1305>
<http://online-service.thm/profile?user_id=1000>, should not be loaded 
if loaded then the application is vulnerable to IDOR.
It should check if the id requested and tauthentication is the same.

Most of the time the IDs used will be encoded, most used is Base64.

Encoded IDs - So to make it vulnerable decode the ID, then tamper it and encode and send to the browser.

Hashed IDs - Sometimes the IDs maybe hashed, mostly website use MD5, better to use crackstation or hash crack.

Unpredictable IDs - Sometime the IDs can be unpredictable, in that situation create two account and try accessing the other account with another account logged in.

Where are the IDORs located - Sometime server side AJAX requests can be used or sometime in the javascript file or even in /user/details, we can reference it using /user/details?user_id=123.

Sometime in a whole application the IDOR will not be available in the search bar so go to developer tools, network tab and reload the application all the endpoints will be known.