IDOR (Insecure Direct Object Reference) is a significant security vulnerability that occurs when authorization checks are not properly implemented, allowing malicious users to access data or resources that do not belong to them .

For example, if a transaction number is directly included in a transaction URL and this number can be manipulated to provide a different transaction number, it is possible to access another user's transaction information. A simple example is provided below :

• Web Application Security Labs

⚙️ Tools Used :

• Burp-Suite
• DevTools

َ

🧪 Invoices Lab

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This lab contains an Insecure Direct Object References (IDOR) vulnerability that allows unauthorized access to other customers' invoices. To complete this lab, access other customers' invoices by changing the "invoice_id" value in the URL and find the invoice for the customer named "Emilia Rawne" .

What is the email address of the customer named Emilia Rawne ?

• Click Viwe, your Invoice id = 1001 and your name = John Doe

1) Mass IDOR Enumeration : Sequential ID Trials

- Test: index.php?invoice_id=1002

# You accessed to Jane Smith Invoice information

- Test: index.php?invoice_id=1005
- Test: index.php?invoice_id=1004
- Test: index.php?invoice_id=1003  (✔️ Emilia Rawne)

َ

🧪 Ticket Sales Lab

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This lab contains an Insecure Direct Object References (IDOR) vulnerability that causes a product to be offered at a lower price. Your starting balance will not be enough to purchase tickets. To complete the lab, purchase tickets by manipulating the price sent to the server during ticket purchase .

What is the order id that appears after the ticket is purchased ?

- Price of one Ticket: 300$  |  Your Money: 50$
• so, you can not buy any ticket

• Manipulating the price sent to the server during ticket purchase :

1) Review and Manipulate POST Parameters using DevTools

- From the Number of Ticket input Field, Right-Click on the page and then select Inspect .

- You'll see Two input Fields: the First is for the number of tickets you want to buy, and the Second is for the price of a single ticket .

- We will tamper with the Second input's value and set it to 0 so we can obtain the ticket for Free 🤡

- now go back to page, Enter any number of Ticket you want to buy and then Click Buy

2) Review and Manipulate POST Parameters using Burp-Suite

- Enter any number of tickets then Click Buy, Intercept The Request in Burp Suite

- You'll see Two Parameters: the First (amount) is for the number of tickets you want to buy, and the Second (ticket_money) is for the price of a single ticket .

- Modify the ticket_money value to 0 and Then Forward The Request

- now go back to page

َ

🧪 Change Password Lab

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This lab contains an Insecure Direct Object References (IDOR) vulnerability that leads to unauthorized password change of other users. To complete the lab, change the password of user "admin" by exploiting the IDOR vulnerability in the password change endpoint and log in to his account .

What is the phone number of user "admin" ? (Answer Format: 000–000–0000)

- Login with your Credentials: test:test

1) Review and Manipulate POST Parameters using DevTools

- From the Change Password input Field, Right-Click on the page and then select Inspect .

- You'll see Two input Fields: the First is for Changing the Password, and the Second is the User-ID which is Hidden and not visible on the page .

- Tampering with the Second input's value could allow Changing another user's Password (often the user with ID 1 is the Admin) .

- now go back to page, Enter any New Password you want for Change Password of User_ID 1 and then Click Confirm

- Finally. Logout From Your test account and then Login with New Admin Credentials: admin:omer-secure

2) Review and Manipulate POST Parameters using Burp-Suite

- Enter any New Password and then Click Confirm, Intercept The Request in Burp Suite

- You'll see Two Parameters: the First (password) is for Changing the Password, and the Second (user_id) which is Hidden and not visible on the page .

- Modify the user_id value to 1 and Then Forward The Request

- Finally: go back to page, Logout From Your test account and then Login with New Admin Credentials: admin:omer-secure

َ

🧪 Money Transfer Lab (VIP)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This lab contains an Insecure Direct Object References (IDOR) vulnerability that allows you to transfer money from another user's account. To complete the lab, transfer money from user "User 2" to your own account ("User 1") by exploiting the IDOR vulnerability in the endpoint performing the money transfer .

What is the transfer ID that appears when money arrives in the user account ?

- Try transfer money (500$) to "User 2"  ---> Success

1) Review and Manipulate POST Parameters using DevTools

- Right-Click on the Transfer Amount input Field and then select Inspect .

- You'll see Three input Fields: the First is for Transfer Amount, the Second is for Receiver ID, and The Third is for Sender ID which is Hidden and not visible on the page .

- Tampering with the All Three input Fields value could allows you to transfer money from another user's account .

- now go back to page, Enter the Transfer Amount you want, Enter Receiver ID of "User 1" for Transfer Money to your account, and then from DevTools Enter Sender ID of "User 2" for Transfer Money from his account . 

- Finally. Click Confirm 

2) Review and Manipulate POST Parameters using Burp-Suite

- Based on the above solutions, Try to solve it yourself using Burp-Suite 

َ

🧪 Update Account Lab (VIP)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This lab contains an Insecure Direct Object References (IDOR) vulnerability that leads to unauthorized modification of other users' account information. To complete the lab, identify the IDOR vulnerability in the endpoint where you can change the account information of user "Renee Misson". View other users' account information .

What is the phone number of user "Renee Misson" (Answer Format: 000–000–0000)

- Open TARGET.hackviser.space

- Your Default name: Nadia Rennocka

- Try Change your name ---> Success

1) Review and Manipulate POST Parameters using Burp-Suite

- Open TARGET.hackviser.space again and Intercept The Request in Burp Suite

- You'll see your User ID "id=1" in Cockie sent with Request .

- Modify the "id=1" to "id=2" and Then Forward The Request

- go back to the page, You'll see Informations of User ID 2 that named "Darill Deeprose" .

• Repeat the same Steps above but with a different "id" value until you find the user Information "Renee Misson" (id=3) .

1) Additional Step: Change Another User Information

• e.x: We'll Change user Information "Renee Misson"

- Open TARGET.hackviser.space to View your account Information

- Click "Save Profile" and then Intercept The Request in Burp Suite

- You'll see Multi Parameters for the User Information .

- Modify the "id=1" to "id=3" and Then Forward The Request

- Finally: go back to the page, you'll find the user Information "Renee Misson" has changed to the same as yours .

✅ Congrats — All Five Insecure Direct Object References (IDOR) labs have been completed. I hope you found the walkthroughs useful — stay tuned for mitigation guides and follow-up posts 🎉

💼 Linkedin