Member-only story
The Ultimate Checklist for Detecting IDOR and Broken Access Control Vulnerabilities
When testing web applications for security vulnerabilities, Insecure Direct Object References (IDOR) and Broken Access Control (BAC) are some of the most critical issues to identify. These flaws can lead to unauthorized data access, privilege escalation, or worse — complete compromise of an application.
In this article, I’ll walk you through a comprehensive checklist for systematically identifying and testing for IDOR and BAC vulnerabilities. Whether you’re a seasoned bug bounty hunter or just getting started, this guide will help you methodically assess access control mechanisms in web applications.
What Are IDOR and BAC?
IDOR (Insecure Direct Object References)
IDOR occurs when an application exposes object references (like IDs, filenames, or tokens) without enforcing proper authorization checks. For example:
- Modifying a
user_idin a URL to access another user’s data. - Manipulating a file download link to access private files.
Broken Access Control (BAC)
BAC happens when applications fail to enforce restrictions on authenticated or unauthorized users. This includes issues like:
- Horizontal privilege escalation: Accessing other users’ data.
- Vertical privilege escalation: Gaining admin access as a regular user.
- Unauthorized actions or access to restricted resources.
A Comprehensive Checklist for IDOR and BAC Testing
Preparation Before Testing
- Understand the Application Logic:
- Map out the roles (e.g., Admin, User, Guest) and their access levels.
- Identify sensitive endpoints, actions, and data.
- Set Up Test Accounts:
- Create accounts for different roles and test the application using these accounts.
- Include a guest session (not logged in) for unauthorized testing.
- Inspect API Endpoints and Responses:
