# Insecure Direct Object Reference

IDOR is when you for example make a request to `/api/user?id=1234567`, and you can access another user’s data, even though you're not supposed to.

The most common places to look for IDOR are:

* Opt out links
  * These sometimes just contain a userid argument to opt out, and sometimes reveal users' emails. These can be found in emails they send you.
* Mobile Apps
  * A huge part of findings come from mobile apps. Most mobile apps use a simple API system to log the user in, display their information etc. A lot of API's just take a userid parameter and will reveal all their information to you if you just ask for it.
* Updating account settings
  * Sometimes when updating your account settings, they'll send your `user_id` as a parameter in the update request. Manipulating this can sometimes result in another user's profile being edited.
* Reset password
  * The same as above.

## UUIDs

**What if the optout link contains a uuid?** Those IDs aren't predictable and you can't just increment them to get the next user. This happens often. In that case check for places where a user's UUID might be leaked:

* Viewing another users profile
* Messaging another user
* etc.

An example case is you could invite a user to join and you'd be their referral. Upon visiting the endpoint `/api/ref?user={username}`, the server would respond with that users guid. So now all you have to do was grab all users' usernames, hit the endpoint to retrieve guid, then visit `/api/user?guid={guid_here}` to reveal all their account information.