Bug Hunting Methodology - IDOR (Indirect Object Reference)

APIs

• Create two accounts.
• Populate as much data as you can for both accounts. Make sure to make at least two instances for each model so that you can test deletion later.
• Streamline the process with Burp’s autorepeater for this.
• Check for IDOR by computing all the remaining API functions with Burp’s autorize extension.
• Get lucky, profit!

Databases

• Some models may reference other models that belong to some other identity, and leak the information!
• Create visual tables so you can visualize relationships between data models.
• Prioritize investigating models that have complex relations so you can attempt to disclose indirect information from them.