IDOR

easy20 mintryhackme

Learn about Insecure Direct Object Reference (IDOR) vulnerabilities — what they are, how to find them in encoded IDs, hashed IDs, and unpredictable IDs, and where they hide (URL parameters, AJAX requests, JavaScript). Includes a practical exercise exploiting an IDOR in an API endpoint to access other users' data by changing the user ID parameter.

Skills You Will Learn

idoraccess-controlapi-testingparameter-tampering

Prerequisites

thm-authenticationbypass
browser-devtools

Walkthrough Phases

Understanding IDOR

Learn what IDOR vulnerabilities are and why they're dangerous

Finding IDORs

Learn where IDOR vulnerabilities hide and how IDs are obfuscated

Practical IDOR Exploitation

Exploit a real IDOR vulnerability in an API endpoint

8 questions to answer

alienrecon start thm-idor

Don't have AlienRecon? Get started here