Insecure Direct Object Reference testing techniques for sequential IDs, UUIDs, encoded references, and parameter tampering. (16 payloads)
/api/users/1, /api/users/2, /api/users/3.../api/orders/1000 → /api/orders/999/api/invoice?id=100&id=101&id=102Change user_id in request body from own ID to target IDTry UUID v1 — timestamp-based, predictableSearch for UUIDs in other API responses, JS files, error messages00000000-0000-0000-0000-000000000000Change one character of known UUIDBase64 decode ID → modify → re-encodeHex decode ID → modify → re-encodeMD5/SHA hash of sequential integersJWT payload sub claim modification?user_id=123&user_id=456?user_id[]=123&user_id[]=456Change GET param and POST body to different IDsX-Original-URL: /api/admin/users/1Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 16 IDOR payloads for testing IDOR vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the JWT Payloads generator to build customized IDOR variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all IDOR payloads are completely free, with no account required. Everything runs in your browser.