Top 25 IDOR Bug Bounty Reports

What is IDOR?

https://example.com/account.php?id=24
https://example.com/account.php?id=11

Types of IDOR

  1. Blind IDOR: The type of IDOR in which the results of the exploitation cannot be seen in the server response. For example modifying other user private data without accessing it.
  2. Generic IDOR: The type of IDOR in which the results of the exploitation can be seen in the server response. For example accessing confidential data or files belonging to another user.
  3. IDOR with Reference to Objects: Used to access or modify an unauthorized object. For example accessing bank account information of other users by sending such a request →example.com/accounts?id={reference ID}
  4. IDOR with Reference to Files: Used to access an unauthorized file. For example a live chat server stores the confidential conversations in files with names as incrementing numbers and any conversation can be retrieved by just sending requests like this →example.com/1.log, example.com/2.log, example.com/3.log and so on.

How to find an IDOR in a Bug Bounty Program

https://example.com/profiles.php?id=e4da3b7fbbce2345d7772b0674a318d5

Top 25 IDOR Bug Bounty Reports

Bonus: 10 Zero Dollars IDOR Reports

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cristian Cornea

Cristian Cornea

1.7K Followers

🇷🇴 Cyber Security Enthusiast, Freelancer, Researcher, Bug Bounty Hunter and InfoSec Writer | OSEP | OSWE | OSCP | CEH | CPTC | PenTest+ | eWPT | ECIH