exploiting-idor-vulnerabilities

# Exploiting IDOR Vulnerabilities ## When to Use - During authorized penetration tests when testing access control on resource endpoints - When APIs or web pages use predictable identifiers (numeric IDs, UUIDs, slugs) in URLs or request bodies - For validating that object-level authorization is enforced across all CRUD operations - When testing multi-tenant applications where users should only access their own data - During bug bounty programs targeting broken access control vulnerabilities ## Prerequisites - **Authorization**: Written penetration testing agreement for the target application - **Burp Suite Professional**: With Authorize extension installed from BApp Store - **Two test accounts**: At least two separate user accounts with different permission levels - **Burp Authorize Extension**: For automated IDOR testing across sessions - **curl/httpie**: For manual request crafting - **Browser**: Configured to proxy through Burp Suite ## Workflow ### Step 1: Map All Object References in the Application Identify every endpoint that references objects by ID across the application. ```bash # Browse the application through Burp proxy with User A # Review Burp Target > Site Map for endpoints with object references # Common IDOR-prone endpoints to look for: # GET /api/users/{id} # GET /api/orders/{id} # GET /api/invoices/{id}/download # PUT /api/users/{id}/profile # DELETE /api/posts/{id} # GET /api/documents/{id} # GET /api/messages/{conversation_id} # Extract all endp...