Security / Quiz

Hunting IDOR

The two-account method, sequential vs UUID ids, horizontal vs vertical access, and where to probe for broken object authz.

Difficulty
Medium
Format
Quiz
Points
150
Estimate
9 min

// MISSION BRIEF

Your Mission

IDOR is the bug scanners cannot find and testers catch in minutes. This quiz is about the hunt: the two-account method, why sequential ids are a gift to attackers, horizontal vs vertical escalation, and the many places an object reference hides.

// FIRST CONTACT

Battle teaser

The two-account method for finding IDOR is:

  1. ASend malformed JSON until the server errors
  2. BLog in as user A, capture a request to A's resource, then replay it with B's object id using A's session; if you get B's data, it is IDOR
  3. CBrute-force A's password until B's data appears
  4. DScan the site with an automated vulnerability tool
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

securityidorbroken-access-controlauthorization