Introduction
When we are hacking for BAC, we can apply some general tips, and the same goes for IDORs. These won’t be specific technical things we should be doing but they do are certainly a handy guide to follow a bit.
IDORs, let’s first explain what they are before deep diving into how to find them, and believe me that it will be deep. Insecure Direct Object References consist of 2 things, we have our direct object reference which means as much as id=1. We are directly pointing to an object and this can be anything. It can be an invoice, address, credit card,… The insecure part references the fact we can sometimes access objects that are not supposed to be accessed by you. If these conditions are met we speak of an IDOR. But how does the server know what you should access and what not? Let’s get right into it!
Authentication vs authorization
We should make the distinction between authentication and authorization. As a user, I can either be authenticated or unauthenticated. This means that I can be logged in or not and the authentication part refers to that I authenticated myself with my username and password or any other security system such as biometrics or a PIN code. I can also be authorized which means that the server will allow me to perform an action (like grabbing an object’s details).
