IDOR Cheat Sheet

Insecure Direct Object Reference testing techniques for sequential IDs, UUIDs, encoded references, and parameter tampering. (16 payloads)

Sequential ID Enumeration

(4)

/api/users/1, /api/users/2, /api/users/3...

Increment integer IDs

/api/orders/1000 → /api/orders/999

Decrement to find other records

/api/invoice?id=100&id=101&id=102

Parameter array for batch access

Change user_id in request body from own ID to target ID

Body parameter tampering

UUID / Non-Sequential

(4)

Try UUID v1 — timestamp-based, predictable

UUIDv1 timestamp prediction

Search for UUIDs in other API responses, JS files, error messages

UUID leakage in responses

00000000-0000-0000-0000-000000000000

Null UUID test

Change one character of known UUID

Adjacent UUID guessing

Encoded ID Tampering

(4)

Base64 decode ID → modify → re-encode

Base64 encoded ID manipulation

Hex decode ID → modify → re-encode

Hex encoded ID manipulation

MD5/SHA hash of sequential integers

Hashed ID prediction

JWT payload sub claim modification

JWT-based IDOR

HTTP Parameter Pollution

(4)

?user_id=123&user_id=456

Duplicate parameter — server may use last

?user_id[]=123&user_id[]=456

Array parameter injection

Change GET param and POST body to different IDs

Method-specific parameter priority

X-Original-URL: /api/admin/users/1

URL override header IDOR

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

JWT Payloads IDOR

Related Cheat Sheets

CSRF Cheat Sheet JWT Attacks Cheat Sheet

$loading...