A bug bounty writeup describing an IDOR vulnerability in a GraphQL API that allowed unauthorized access to personally identifiable information (PII) due to missing authorization controls.
Article discusses advanced techniques and methodologies for exploiting IDOR vulnerabilities beyond basic enumeration, targeting authorization flaws in web applications.
A critical IDOR vulnerability discovered through accidental observation of different URL parameter flows in a change-password endpoint, allowing unauthorized access to other users' accounts and subsequent email modification for account takeover.
Writeup of three bugs submitted to Google VRP: a reflected XSS in artsexperiments.withgoogle.com discovered via ParamSpider and kxss automation, and two IDORs in AppSheet endpoints where access control could be bypassed—one requiring a specific version parameter to exploit. The author details the discovery process, initial rejections, and eventual acceptance with $500 bounties awarded.
A researcher discovered a critical IDOR vulnerability in an e-commerce platform's address book functionality that allowed account takeover by manipulating user ID parameters in API requests, which was discovered after exploiting a stored XSS in the same feature.
A bug bounty writeup demonstrating an account takeover vulnerability combining IDOR and weak encryption in a password reset function. The attacker decrypted Zlib-compressed tokens, discovered an Adler-32 checksum constraint, located a Transaction_Token endpoint via directory fuzzing, and automated exploitation to forge valid password reset links for arbitrary accounts.
A researcher discovered an IDOR vulnerability in a WebSocket-based signup flow that allowed account takeover by manipulating UUID parameters during user registration, enabling email changes on arbitrary accounts without authentication.
A security researcher discovered an IDOR vulnerability in an e-commerce platform where unauthorized access to user account data (name, address, credit card details) could be achieved by exploiting misconfigured CORS that exposed random checkout hashes to third-party integrations, allowing attackers to enumerate and access arbitrary user wallets via predictable endpoints.
An IDOR vulnerability in an e-commerce application's address management API allowed exposure of other users' sensitive information (names, addresses, phone numbers) through a POST request to set default address endpoint that returned 200 with empty body but still processed sequential address IDs. The vulnerability was discovered when the payment page displayed a different user's address data.