What I learnt from reading 220* IDOR bug reports.
IDOR — Insecure Direct Object Reference, abuse of the lack of authentication at every stage.
Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)
A while ago, I curled up in bed, with my laptop and a coffee, and scraped every single IDOR report from hackerone. A week or so later, I had compiled notes and findings from my reading and I’m here to show you what I’ve learnt, and how my understanding of a seemingly simple bug has changed massivley.
For reference, throughout the article I will refer to various bug reports via numbers, these numbers correlate to bug reports, which can be found by replacing XXXXXX in the url: https://hackerone.com/reports/XXXXXX
Your understanding of IDOR is wrong.
That subheading was pretty dramatic, realisitcally, it should be “Your understanding of IDOR is too narrow”. Typically people think an IDOR is just finding a parameter called “ID” (or similar) and replacing the number with another, like report 797685.
Then receiving Status 200, saying an operation from a different user has been complete.