> For the complete documentation index, see [llms.txt](https://heinosass.gitbook.io/leet-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/insecure-direct-object-reference.md). # Insecure Direct Object Reference IDOR is when you for example make a request to `/api/user?id=1234567`, and you can access another user’s data, even though you're not supposed to. The most common places to look for IDOR are: * Opt out links * These sometimes just contain a userid argument to opt out, and sometimes reveal users' emails. These can be found in emails they send you. * Mobile Apps * A huge part of findings come from mobile apps. Most mobile apps use a simple API system to log the user in, display their information etc. A lot of API's just take a userid parameter and will reveal all their information to you if you just ask for it. * Updating account settings * Sometimes when updating your account settings, they'll send your `user_id` as a parameter in the update request. Manipulating this can sometimes result in another user's profile being edited. * Reset password * The same as above. ## UUIDs **What if the optout link contains a uuid?** Those IDs aren't predictable and you can't just increment them to get the next user. This happens often. In that case check for places where a user's UUID might be leaked: * Viewing another users profile * Messaging another user * etc. An example case is you could invite a user to join and you'd be their referral. Upon visiting the endpoint `/api/ref?user={username}`, the server would respond with that users guid. So now all you have to do was grab all users' usernames, hit the endpoint to retrieve guid, then visit `/api/user?guid={guid_here}` to reveal all their account information. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/insecure-direct-object-reference.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.