IDOR (Insecure Direct Object Reference) is a broken access control flaw where an application exposes a reference to an internal object, like a user ID or file name, and fails to verify the requester is authorized for it. Changing /account?id=1001 to /account?id=1002 to read another user's data is the classic example the IDOR generator helps you test.
The IDOR generator produces ID-tampering variants you swap into a request: sequential increment and decrement, negative and zero values, UUID mutation, and array or wildcard injection. Capture an authenticated request in Burp, substitute the generated identifiers, and compare responses for unauthorized objects returned with a 200 instead of a 403.
Non-sequential UUIDs raise the bar but do not guarantee safety. Harvest valid UUIDs leaked elsewhere (other endpoints, exports, email links, JS bundles) and replay them; test predictable UUIDv1 timestamps, try mass-assignment of an id field, and add path traversal or parameter pollution like id=victim&id=self that the IDOR generator includes to reach objects you should not see.
Yes, the IDOR generator is free and executes entirely in your browser, so the identifiers and target details you enter never leave your machine. It is intended only for authorized security testing, including penetration tests, bug bounty programs, and CTFs where you have permission.