07 Dec 2025
IDOR Santa’s Little IDOREvery subtitle of the room is an acronym of IDOR.
IDOR - Insecure Direct Object Reference. Access control vulnerability. AKA Authorization Bypass.
Simple example of possible IDOR is in address https://awesome.website.thm/TrackPackage?packageID=1001. Might be possible to change the package ID and see data without actually being allowed to change it. Many people try to fix by obfuscating the object ID, but the problem is still that the server isn’t checking if a person should actually have access to the object.
Authentication has to happen first. If the app doesn’t know who you are it doesn’t know what you should be able to do. This links to PrivEsc too.
IDOR usually is a for of horizontal PrivEsc.
Use Dev tools on website. Network tab reveals user_id as specifc number and reference for getting details. Storage tab allows adjusting the user_id value. Can determin and manipulate numbers or hashes to see other information. Depending on version of UUIDs (namely version 1), if a creation time period is known, UUIDs for can be generated and used for brute forcing.
Best way to stop IDOR is to make sure the server checks who is asking for the data every time. Don’t rely on obfuscation and tricks. Use random or hard to guess IDs for public links. Always test your app by trying to access other user’s data. Record and monitor failed access attempts, consider to be early warning signs.
https://www.mwrcybersec.com/whats-the-deal-with-idor https://uuidtools.com/decoder (Includes cool charts explaining some elements of the UUID) IDOR room