Insecure Direct Object References
Check List
Methodology
HTTP Methods
Log in to the target site and track requests using the Burp Suite tool
Complete the authentication process then log in to your profile
Perform a process that deletes a photo or account. Trace the request using Burp suite
After intercepting the request, check if there is a number in the request that means the user ID, then change it to another account
After changing the request, check the server response and see if it is 403 or 404
If it gives 404 or 403 then change the method if it is POST to GET and if it is GET to POST like the following request
GET /users/delete/victim_id -> 403
POST /users/delete/victim_id -> 200Try This
Create both accounts and log in to the profile page, then click Delete Account with the attacker's account and track the request using the Burp Suite tool
Then check if there is an id or number inside the request that indicates the user account id. If there is, change the id to the victim account that we created with the Chrome browser and check the server response to see if it is 403 or not
POST /users/delete/victim_id -> 403If it does not allow, we replace the path traversal payload with something like the following request
POST /users/delete/my_id/..victim_id -> 200Reconcile the target site using the complete cheat sheet
Then look for sensitive paths like admin paths
Send the request to this route and check if the server response is incoming or returns 401
GET /admin/profile -> 401Then change the admin request to uppercase like the following request and check if the server allows us to log in. If it does, the vulnerability is confirmed
GET /Admin/profile -> 200
GET /ADMIN/profile -> 200Objected JSON Parameter
Complete the authentication process on the target site
Log in to your profile and go to the profile settings section
Make a change to your profile. Trace the request using Burp suite before hitting the save button
Then click the save button and check whether the request you received is in json format or not
Identify the userid parameter inside it, change it, and check if the server gives you a 403 or not
{"userid":123} -> 401If it gives an error, send the request as a JSON object, like the following request
{"userid":{"userid":123}} -> 200Using the * character instead of the user ID
Log into the target site and intercept requests using the Burp suite tool
Then identify the requests related to the user's API routes, such as the following route request
GET /api/users/user_id Then change the request for the user id in the user path to * and check if the server accepts it or not
GET /api/users/*If it shows user information after sending the request, the vulnerability is confirmed
JSON Parameter Pollution
Log in to the target site and complete the authentication process
Then register. After registration, log out
Then go to Login and enter the correct username and password. Then use the Burp suite tool to intercept the requests and click the Login button
Get the login request. If the userid exists, change it to another id. Check whether you are logging into another account or not
If you are not logged into another user account, repeat the login process and instead of changing the id in the parameters similar to userid, convert it to an array as follows
Delete Account (IDOR)
Log in to your own account in two browsers A and B with User A and User B
Create your own *Licenses and certifications in both the account
Create your own *Licenses and certifications in both the account
Now In the body change the ID number and you will be able to delete all the Licenses and certifications present in HackerOne
For now change the ID to the Licenses and certifications ID of the Other account and it will be deleted.
Unsubscribe IDOR
Go to the subscribe page and sign up with an email (or create two test emails)
Note the subscribe URL: ...?p=subscribe&id=
Change subscribe → unsubscribe: ...?p=unsubscribe&id=1
In the unsubscribe form enter the target email (for example, the email you previously subscribed with)
The page shows “You have been unsubscribed...” and a confirmation email is received (The report indicates this works without CAPTCHA or a confirmation link)
GraphQL IDOR
Capture the GraphQL UpdateCampaign POST request when editing a campaign (example request sent to POST /graphql with JSON body containing input.campaign_id)
The campaign_id is a base64-encoded global id (e.g. Z2lkOi8vaGFja2Vyb25lL0NhbXBhaWduLzI0NA== → gid://hackerone/Campaign/244 when decoded)
Change the numeric ID part of the decoded GID (e.g. 244 → 243 or 245), re‑encode the modified GID to base64 and replace input.campaign_id with that value in the same request
Send the modified UpdateCampaign request. The server accepts the request for the targeted campaign_id (even if that campaign belongs to another program), allowing the campaign to be updated/removed via that request
Impact: by targeting another program’s ongoing campaign id, a requester can modify or delete campaigns they don’t own
Account Deletion IDOR
Create two test accounts: victim@test and attacker@test. Ensure you control both
From the victim account, initiate an account-delete flow in your browser while intercepting requests (Burp/DevTools) to capture the JSON body that would be sent (this reveals the body format; do not forward the request). Example body contains email and authPW
Cancel the actual request so no deletion occurs
Log in as attacker and prepare a new POST /v1/account/destroy request in an interceptor/repeater. Replace the body with the victim’s captured email and authPW values (only for your test accounts). Send the request only if both accounts are test accounts you control
Observe server response: if the server returns success and the victim account is deleted, the vulnerability is confirmed. Prefer to confirm by checking server response codes and deletion flags rather than deleting real production data
GraphQL IDOR
allows to modify the links of any user. Users can put their custom links or social media links on their profile
Replicate the following request by replacing it with your own authentication headers
must also put in the body of the request, in the parameter "username" the username that you want, you can try my username: "criptexhackerone1". This request will return in the response the links of any user profile with the "id" of each link. for example
When you get some "id" save it
In the next request you have to put in the request body, in the "id" parameter the previously saved id, you can also change the name and the link
Finally re-enter the victim's profile and you will see the modified links. It is important to mention that you may have to reload the page a few times or wait a few seconds
IDOR Broken Object Level Authorization
Login (attacker): Authenticate in the application with your test attacker account in a browser
Capture baseline request: Navigate to the profile endpoint and capture the request to
Prepare modified request: In Repeater, modify the request path by replacing current? with a target identifier
Send modified request: Send it from Repeater and inspect the HTTP response body
Verify with controlled accounts (recommended): For a safe PoC, create a second test account (victim-test), add a distinguishable field (e.g., bio: "victim-test-proof"), then repeat step 3 using that username — this proves read access without touching real users
Document evidence: Save/sanitize the HTTP request and response (redact cookies, Authorization headers, tokens and any PII you don’t own). Take a screenshot of the returned JSON (with sensitive fields redacted if needed). Note timestamps and user-agents
Do not brute-force: Avoid enumerating many usernames or automating tests on production. Limit yourself to 1–2 manual checks or use staging
Content Move IDOR
You can move your contents via Move to button at $WEB/dashboard
when you click to Move to > My Content you will send a POST request to /dashboard like that
$ACTIONABLE[] parameter's value is the content's ID. And if you change this ID to victim's content ID, you will see victim's content at My Content page
After sending the request through Burp Suite and changing the parameter, go back to the Mycontent section
Featured Image Deletion IDOR
Make two accounts one is for the victim and the other for an attacker
Add some featured images in both accounts. Go to Profile --> Add Profile Section --> Recommended --> Add Featured
Delete an image on the attacker's account and capture that request using burp and sent it to the repeater It makes a delete request like the one, given below
It takes consists of thress things ProfileId, and sectionUrn which also take same ProfileId value
Now visit the victim's profile featured images without logging in as the victim. Copy the link of the image you want to delete from the victim's profile, which looks like this
Paste that link into your notepad and notice that in this link, we got both ProfileId , ImageId. In the above link, I get these
Now simply replace the respected values of required parameters in the repeater and send a request
You see that the targeted featured image from the victim's profile was successfully deleted
IDOR in Update Profile Section
create An Account in web and go to Update Profile Section For example
Change the Numeric user-id to any other, and you'll see other user's email-addresses
File Download IDOR
Go to the site and wherever you see CSV file download and other extensions, activate the Interception section using Burp Suite
Click on download file and get the request
In the request, look for a parameter that has the word ID or is numeric
Manipulate the parameter and change the Id and send the response
If another file with other content including user information or sensitive information is found inside this downloaded file, it has IDOR vulnerability
Access to Unpublished
Create an account on the target platform
Create at least two blog posts:
One published/public
One unpublished or set as “Private” / “Draft” / “Hidden”
While creating or editing the private post, intercept all requests with Burp Suite
Identify the endpoint that loads a single post, usually one of these patterns
Note the numeric or alphanumeric ID of your public post and your private post
Log out or open an incognito window (or use a second account that should NOT have access)
Manually send a direct request to the private post ID like
If the full private post content loads → vulnerability confirmed
IDOR In Reset Password Functionality
Log in to the target site then use 2 accounts
One account is attacker@gmail.com and the other is vitcim@gmail.com, which takes us to the forgotten password page
With the second account, vitcim@gmail.com, we complete the forgotten password process, then after changing the password, we check whether the link has been used and whether it can be used again
Then check the link to see if there is any base64 encoded data at the end or middle of the URL. If there is, decode it
Then check if your userid and gmail show in decrypted mode
If it shows, then enter the email and userid of the first account, that is, attacker@gmail.com, and use the link again. Then, after completing the forgotten password process, check whether the user's email password has been changed on the site. If it has been changed, the vulnerability is confirmed
White Box
Cheat Sheet
Last updated