Identify object identifiers

Reproduction Steps (Insecure Direct Object Reference – IDOR):

1. Log in to the application using a valid user account.

2. Identify a request that references a direct object identifier, such as:

   • Query parameters (e.g., user_id=123, orderId=456)

   • URL path parameters (e.g., /api/profile/789)

   • JSON body fields (e.g., "userId": 123)

3. Capture the request using Burp Suite or the browser’s developer tools.

4. Modify the object identifier in the request by:

   • Incrementing/decrementing the ID (e.g., 123 → 124), or

   • Replacing it with another valid user’s ID (e.g., from a second account), or

   • Supplying a different valid-looking identifier (numeric, UUID, or Base64).

5. Forward the modified request to the server.

6. Observe the server response.

7. Confirm the vulnerability if the application:

   • Returns another user’s sensitive data, or

   • Allows unauthorized actions (view, edit, delete) on resources not owned by the attacker.

8. Repeat the test across different request types to verify impact:

   • GET requests

   • POST / PUT request bodies

   • JSON-based API endpoints

Result: Successful access or modification of another user’s resources without proper authorization confirms an IDOR vulnerability caused by missing or insufficient server-side access control.