Security / Quiz
Hunting IDOR
The two-account method, sequential vs UUID ids, horizontal vs vertical access, and where to probe for broken object authz.
- Difficulty
- Medium
- Format
- Quiz
- Points
- 150
- Estimate
- 9 min
// MISSION BRIEF
Your Mission
IDOR is the bug scanners cannot find and testers catch in minutes. This quiz is about the hunt: the two-account method, why sequential ids are a gift to attackers, horizontal vs vertical escalation, and the many places an object reference hides.
// FIRST CONTACT
Battle teaser
The two-account method for finding IDOR is:
- ASend malformed JSON until the server errors
- BLog in as user A, capture a request to A's resource, then replay it with B's object id using A's session; if you get B's data, it is IDOR
- CBrute-force A's password until B's data appears
- DScan the site with an automated vulnerability tool
Answers, scoring, hints, and the full battle stay sealed.
// SKILL TAGS
securityidorbroken-access-controlauthorization