IDOR Vulnerability Analysis

Platform

PortSwigger Web Security Academy

Tools Used

Burp Suite
Browser Developer Tools
HTTP Request Analysis

Vulnerability Type

IDOR (Insecure Direct Object Reference)

Objective

Access unauthorized user data by manipulating object references and analyze the security impact of broken access control.

Attack Flow

Login as a normal user
Intercept the HTTP request using Burp Suite
Identify the object reference (user ID / order ID / document ID)
Modify the parameter manually
Forward the modified request
Access unauthorized resource

Example

Original request:

GET /account?id=123

Modified request:

GET /account?id=124

Result:

Unauthorized access to another user's data

Impact

Sensitive data exposure
Privacy breach
Unauthorized access
Potential privilege escalation
Broken access control exploitation

Risk Level

High

Mitigation

Server-side authorization checks
Access control validation
Indirect object references
Role-Based Access Control (RBAC)
Principle of Least Privilege

Lessons Learned

Never trust client-side identifiers. Authorization must always be validated on the server side.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
IDOR_Lab_Report.docx		IDOR_Lab_Report.docx
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

IDOR Vulnerability Analysis

Platform

Tools Used

Vulnerability Type

Objective

Attack Flow

Example

Impact

Risk Level

Mitigation

Lessons Learned

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Folders and files

Latest commit

History

Repository files navigation

IDOR Vulnerability Analysis

Platform

Tools Used

Vulnerability Type

Objective

Attack Flow

Example

Impact

Risk Level

Mitigation

Lessons Learned

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Packages