⌘K
ENES
GitHub
playbookSecurity Playbooks~1 min readUpdated Apr 23, 2026

Exploit IDOR

Goal

Determine whether object identifiers can be manipulated to access another user's data or actions.

Assumptions

  • the app exposes object-specific routes, IDs, or references
  • authorization might be weaker than authentication
  • the server may trust client-supplied identifiers too much

Prerequisites

  • authenticated test accounts with different privilege scopes
  • ability to capture and replay requests
  • understanding of object locations in the app

Recon steps

  1. Map endpoints that expose object IDs in paths, query params, forms, or JSON.
  2. Compare requests from two different users.
  3. Look for predictable IDs, UUID reuse, sequential records, or leaked references.

Exploit / test steps

  1. Capture a request that accesses one object.
  2. Change only the object identifier.
  3. Replay the request with the same auth context.
  4. Try both read and write operations.
  5. Repeat across hidden endpoints, exports, downloads, and mobile/API routes.

Validation clues

  • another user's object is returned
  • writes succeed against another user's resource
  • response metadata changes without an authorization error
  • timing or status changes indicate object existence

Mitigation

  • enforce authorization on every object access server-side
  • use indirect references only as a helper, not a replacement
  • avoid relying on UI visibility for protection
  • log authorization failures and suspicious object access patterns

Logging / detection

  • repeated access attempts across adjacent IDs
  • many 403/404 combinations across the same route family
  • auth context accessing objects outside expected ownership scope

References

  • Testing / Lab: PortSwigger IDOR page — https://portswigger.net/web-security/access-control/idor
  • Testing / Lab: PortSwigger access control topic — https://portswigger.net/web-security/access-control
  • Foundational: OWASP WSTG authorization testing — https://owasp.org/www-project-web-security-testing-guide/latest/

Explore nearby notes

Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect BloodHound Collection_Playbook structure (Goal / Assumptions / Prerequisites / Detection steps / Validation clues / Mitigation / Logging / Operational safety), matching the trio... Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior.