Insecure Direct Object Reference

IDOR is when you for example make a request to /api/user?id=1234567, and you can access another user’s data, even though you're not supposed to.

The most common places to look for IDOR are:

• Opt out links

  • These sometimes just contain a userid argument to opt out, and sometimes reveal users' emails. These can be found in emails they send you.

• Mobile Apps

  • A huge part of findings come from mobile apps. Most mobile apps use a simple API system to log the user in, display their information etc. A lot of API's just take a userid parameter and will reveal all their information to you if you just ask for it.

• Updating account settings

  • Sometimes when updating your account settings, they'll send your user_id as a parameter in the update request. Manipulating this can sometimes result in another user's profile being edited.

• Reset password

  • The same as above.

UUIDs

What if the optout link contains a uuid? Those IDs aren't predictable and you can't just increment them to get the next user. This happens often. In that case check for places where a user's UUID might be leaked:

• Viewing another users profile

• Messaging another user

• etc.

An example case is you could invite a user to join and you'd be their referral. Upon visiting the endpoint /api/ref?user={username}, the server would respond with that users guid. So now all you have to do was grab all users' usernames, hit the endpoint to retrieve guid, then visit /api/user?guid={guid_here} to reveal all their account information.