Insecure Direct Object References

Check List

Methodology

Black Box

Create two accounts if possible or else enumerate users first

Check if the endpoint is private or public and does it contains any kind of id param

Try changing the param value to some other user and see if does anything to their account

change HTTP method like this

GET /users/delete/victim_id -> 403
POST /users/delete/victim_id -> 200

Try replacing parameter names instead of this

GET /api/albums?album_id= <album id>

Try This

Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host

GET /api/albums?account_id= <account id>

Path Traversal IN users Path

if request like this

POST /users/delete/victim_id -> 403

change request to this

POST /users/delete/my_id/..victim_id -> 200

change request content-type

Content-Type: application/xml
Content-Type: application/json

swap non-numeric with numeric id

GET /file?id=90djbkdbkdbd29dd
GET /file?id=302

Missing Function Level Acess Control and changes Charachter path

GET /admin/profile -> 401
GET /Admin/profile -> 200
GET /ADMIN/profile -> 200

send wildcard instead of an id

GET /api/users/user_id 
changes to this
GET /api/users/*

Never ignore encoded/hashed ID for hashed ID ,create multiple accounts and understand the pattern application users to allot an iD

Bypass object level authorization Add parameter onto the endpoit if not present by defualt

GET /api_v1/messages -> 200
GET /api_v1/messages?user_id=victim_uuid -> 200

HTTP Parameter POllution Give mult value for same parameter

GET /api_v1/messages?user_id=attacker_id&user_id=victim_id
GET /api_v1/messages?user_id=victim_id&user_id=attacker_id

change file type

GET /user_data/2341 -> 401
GET /user_data/2341.json -> 200
GET /user_data/2341.xml -> 200
GET /user_data/2341.config -> 200
GET /user_data/2341.txt -> 200

json parameter pollution

{"userid":1234,"userid":2542}

Wrap the ID with an array in the body

{"userid":123} -> 401
{"userid":[123]} -> 200

c wrap the id with a json objec

{"userid":123} -> 401
{"userid":{"userid":123}} -> 200

Test an outdata API version

GET /v3/users_data/1234 -> 401
GET /v1/users_data/1234 -> 200

Delete Account (IDOR)

Create your own *Licenses and certifications in both the account

Now In the body change the ID number and you will be able to delete all the Licenses and certifications present in HackerOne

For now change the ID to the Licenses and certifications ID of the Other account and it will be deleted.

Unsubscribe IDOR

Go to the subscribe page and sign up with an email (or create two test emails)

Note the subscribe URL: ...?p=subscribe&id=

Change subscribe → unsubscribe: ...?p=unsubscribe&id=1

In the unsubscribe form enter the target email (for example, the email you previously subscribed with)

The page shows “You have been unsubscribed...” and a confirmation email is received (The report indicates this works without_CAPTCHA or a confirmation link)

GraphQL IDOR

Capture the GraphQL UpdateCampaign POST request when editing a campaign (example request sent to POST /graphql with JSON body containing input.campaign_id)

The campaign_id is a base64-encoded global id (e.g. Z2lkOi8vaGFja2Vyb25lL0NhbXBhaWduLzI0NA== → gid://hackerone/Campaign/244 when decoded)

Change the numeric ID part of the decoded GID (e.g. 244 → 243 or 245), re‑encode the modified GID to base64 and replace input.campaign_id with that value in the same request

Send the modified UpdateCampaign request. The server accepts the request for the targeted campaign_id (even if that campaign belongs to another program), allowing the campaign to be updated/removed via that request

Impact: by targeting another program’s ongoing campaign id, a requester can modify or delete campaigns they don’t own

Key detail: decode campaign_id from base64 → you get gid://hackerone/Campaign/<N>Modifying <N> and re-encoding changes the target campaign. idor lead to view private reports title,url,id,state,substate,severity_rating,readable_substate,created_at,submitted_at,reporter_name

Account Deletion IDOR

Create two test accounts: victim@test and attacker@test. Ensure you control both

From the victim account, initiate an account-delete flow in your browser while intercepting requests (Burp/DevTools) to capture the JSON body that would be sent (this reveals the body format; do not forward the request). Example body contains email and authPW

Cancel the actual request so no deletion occurs

Log in as attacker and prepare a new POST /v1/account/destroy request in an interceptor/repeater. Replace the body with the victim’s captured email and authPW values (only for your test accounts). Send the request only if both accounts are test accounts you control

Observe server response: if the server returns success and the victim account is deleted, the vulnerability is confirmed. Prefer to confirm by checking server response codes and deletion flags rather than deleting real production data

GraphQL IDOR

allows to modify the links of any user. Users can put their custom links or social media links on their profile

Replicate the following request by replacing it with your own authentication headers

must also put in the body of the request, in the parameter "username" the username that you want, you can try my username: "criptexhackerone1". This request will return in the response the links of any user profile with the "id" of each link. for example

POST / HTTP/2
Host: gql.example.com

{"id":"11a239b07f86","variables":{"username":"*********"}}

When you get some "id" save it

In the next request you have to put in the request body, in the "id" parameter the previously saved id, you can also change the name and the link

POST / HTTP/2
Host: gql.example.com

{"id":"c558e604581f","variables":{"input":{"socialLinks":[{"outboundUrl":"https://www.hackerone.com","title":"hacker","type":"CUSTOM","id":"* * * * * * * * *  * * * * *  * * * * * * * * * *  * * * * *  *"}]}}}

Finally re-enter the victim's profile and you will see the modified links. It is important to mention that you may have to reload the page a few times or wait a few seconds

A real attacker can modify the name and content of any user's social links. It is important to add that social links are something main in user profiles, if an attacker exploits this with all reddit users it could be devastating

IDOR Broken Object Level Authorization

Capture baseline request: Navigate to the profile endpoint and capture the request to

GET /api/v1/users/current? HTTP/1.1

Prepare modified request: In Repeater, modify the request path by replacing current? with a target identifier

GET /api/v1/users/$USERNAME HTTP/1.1

Send modified request: Send it from Repeater and inspect the HTTP response body

If the response returns JSON containing the target’s profile fields (e.g., full_name, username, github_username, website, created_at, id, photo, etc.), the endpoint leaks other users’ data

Verify with controlled accounts (recommended): For a safe PoC, create a second test account (victim-test), add a distinguishable field (e.g., bio: "victim-test-proof"), then repeat step 3 using that username — this proves read access without touching real users

Document evidence: Save/sanitize the HTTP request and response (redact cookies, Authorization headers, tokens and any PII you don’t own). Take a screenshot of the returned JSON (with sensitive fields redacted if needed). Note timestamps and user-agents

Do not brute-force: Avoid enumerating many usernames or automating tests on production. Limit yourself to 1–2 manual checks or use staging

Content Move IDOR

You can move your contents via _{Move to} button at $WEB/dashboard

when you click to Move to > My Content you will send a POST request to /dashboard like that

_{$ACTIONABLE[]} parameter's value is the content's ID. And if you change this ID to victim's content ID, you will see victim's content at My Content page

After sending the request through Burp Suite and changing the parameter, go back to the Mycontent section

Featured Image Deletion IDOR

Make two accounts one is for the victim and the other for an attacker

Add some featured images in both accounts. Go to Profile --> Add Profile Section --> Recommended --> Add Featured

Delete an image on the attacker's account and capture that request using burp and sent it to the repeater It makes a delete request like the one, given below

It takes consists of thress things ProfileId, and sectionUrn which also take same ProfileId value

Now visit the victim's profile featured images without logging in as the victim. Copy the link of the image you want to delete from the victim's profile, which looks like this

Paste that link into your notepad and notice that in this link, we got both ProfileId , ImageId. In the above link, I get these

Now simply replace the respected values of required parameters in the repeater and send a request

You see that the targeted featured image from the victim's profile was successfully deleted

IDOR in Update Profile Section

create An Account in web and go to Update Profile Section For example

https://example.com/UpdateProfile/<user-id>

Change the Numeric _user-idto any other, and you'll see other user's email-addresses

File Download IDOR

Go to the site and wherever you see CSV file download and other extensions, activate the Interception section using Burp Suite

Click on download file and get the request

In the request, look for a parameter that has the word ID or is numeric

Manipulate the parameter and change the Id and send the response

If another file with other content including user information or sensitive information is found inside this downloaded file, it has IDOR vulnerability

White Box

Cheat Sheet

PreviousPrivilege Escalation NextOAuth Weaknesses

Last updated 17 days ago