Insecure Direct Object Reference

User1 trying to retrieve file F101 which has his financial data but instead of F101 input in the request for F109 which is some else financial data this is called IDOR where we don’t have access to retrieve someone else data without their permission or if there is some misconfiguration

Attack vectors or IDOR

• xttp://foo.bee/somepage?invoice=13423
• /changepassword?user=12343
• /showimg?img=imgsc123
• /accesspage?menuitem=139

parameter brute force if there is any profile accessible (Intruder burp suite sniper)

Testing methods

Mitigation