# IDOR (Insecure Direct Object Reference)

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.

This type of vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), too much trust has been placed on the input data, and it is not validated on the server-side to confirm the requested object belongs to the user requesting it.

## Example:

**service.thm/profile?user\_id=1305**

If you would be able to change the id to 1000 for example, and see another user's information, than this would be an IDOR vulnerability.

## IDOR trough encoded IDs

When passing data from page to page either by post data, query strings, or cookies, web developers will often first take the raw data and encode it.

{% embed url="<https://www.base64decode.org/>" %}

```bash
echo 'base_64_string' | base64 -d
```

## IDOR trough hased IDs

Hashed IDs are a little bit more complicated to deal with than encoded ones, but they may follow a predictable pattern, such as being the hashed version of the integer value.

<https://crackstation.net/> <https://www.dcode.fr/md5-hash>

## IDOR Unpredictable IDs

If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them. If you can view the other users' content using their Id number while still being logged in with a different account (or not logged in at all), you've found a valid IDOR vulnerability.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/web/idor-insecure-direct-object-reference.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.