Home GuidesIDOR Testing Guide

IDOR Testing Guide

Guide to finding Insecure Direct Object Reference (IDOR) vulnerabilities by testing access controls on object references like IDs, filenames, and UUIDs.

Beginner

6 steps18 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Map object references

Identify all API endpoints and URL parameters that reference objects by ID, UUID, filename, or other identifiers. Create two test accounts to compare access. Note numeric IDs, GUIDs, encoded values, and file paths.

Example payloads

/api/users/123/profile

/api/orders/456/receipt

/documents/download?id=789

/files/user-uploads/report-abc.pdf

Test horizontal privilege escalation

Using Account A, try to access objects belonging to Account B. Replace object IDs in URLs, request bodies, and headers. Check if the server enforces ownership verification.

Example payloads

GET /api/users/124/profile (your ID is 123)

PUT /api/orders/457/status (not your order)

DELETE /api/messages/999 (another user's message)

Test vertical privilege escalation

As a regular user, try accessing admin-only resources. Change role-related parameters, access admin API endpoints, and attempt to modify objects you should only read.

Example payloads

GET /api/admin/users (as regular user)

PUT /api/users/123 {"role":"admin"}

GET /api/reports/financial-summary

Test ID enumeration and prediction

Check if object IDs are sequential and predictable. Try incrementing/decrementing IDs, brute-forcing short numeric ranges, and decoding base64/hex-encoded IDs to find patterns.

Example payloads

/api/invoices/1001, /api/invoices/1002, ...

Decode: aWQ9MTIz -> id=123

UUID v1 timestamp extraction

Test across HTTP methods

An endpoint may enforce access control for GET but not for PUT or DELETE. Test the same object reference across all HTTP methods (GET, POST, PUT, PATCH, DELETE).

Example payloads

GET /api/users/124/profile -> 403

PUT /api/users/124/profile -> 200 (IDOR!)

DELETE /api/users/124 -> 200 (IDOR!)

Document impact

Record which objects are accessible, what data is exposed, and whether modification or deletion is possible. Classify severity based on the sensitivity of the exposed data and available actions.

Example payloads

Accessed 500 user profiles via sequential ID enumeration

Modified another user's email address via PUT request

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Map object references

Example payloads

/api/users/123/profile

/api/orders/456/receipt

/documents/download?id=789

/files/user-uploads/report-abc.pdf

Test horizontal privilege escalation

Using Account A, try to access objects belonging to Account B. Replace object IDs in URLs, request bodies, and headers. Check if the server enforces ownership verification.

Example payloads

GET /api/users/124/profile (your ID is 123)

PUT /api/orders/457/status (not your order)

DELETE /api/messages/999 (another user's message)

Document impact

Record which objects are accessible, what data is exposed, and whether modification or deletion is possible. Classify severity based on the sensitivity of the exposed data and available actions.

Example payloads

Accessed 500 user profiles via sequential ID enumeration

Modified another user's email address via PUT request