IDOR Lab

📝Learning Objective: Insecure Direct Object References (IDOR)

IDOR vulnerabilities occur when applications expose direct references to internal objects (like user IDs, file names, or database keys) without proper authorization checks. Attackers can manipulate these references to access unauthorized data.

Common IDOR Targets:

• User Profiles: /profile?id=123
• Documents: /download?file=contract_456.pdf
• Account Data: /api/account/789
• Administrative Functions: /admin/user/999

Attack Impact:

• Unauthorized data access and privacy breaches
• Financial information exposure
• Personal identifiable information (PII) theft
• Privilege escalation via admin accounts

Current Session

Logged in as:

User #3 (You)

Session Token:

session_abc123

Security Mode

VulnerableSecure

No authorization checks (VULNERABLE!).

Profile Lookup

User ID

IDOR Techniques

View Other Users

Try user IDs 1, 2, 4, 5 to access other profiles

Admin Account

User ID 1 might be an administrator

Sequential Access

Increment/decrement user ID to find other accounts

High Value Targets

Look for executive or system accounts

User Profile

Enter a user ID to view their profile

Understanding IDOR

Insecure Direct Object Reference (IDOR) occurs when applications expose references to internal objects without proper authorization checks.

Common IDOR Patterns:

• Sequential user IDs (1, 2, 3...)
• Predictable object references
• URL parameters with object IDs
• File paths with predictable names

Prevention:

• ✅ Implement proper authorization checks
• ✅ Use indirect references (UUIDs instead of sequential IDs)
• ✅ Validate user permissions for each request
• ✅ Use access control lists (ACLs)

Try this: Change the user ID in the URL or input field to access other users' profiles. Notice how you can see private information!