Here we go. Again.
IDOR, or insecure direct object reference, is a common yet insecure practice of referring to objects. By “insecure”, this simply means that it is easy to figure out what the pattern of how objects are named. For example, the typical case of IDORs are numerical IDs that increment by one, such as the first three user IDs of this system being user_10001 , user_10002, and user_10003. If there are 5000 users, we can probably assume there is a user_12352 and a user_14999 . We might not know who exactly are these random users, but we now have figured out how to directly reference objects in a predictable manner.
By itself, it causes no vulnerability, but it allows attackers to gain valuable insight into how an application functions and references its own objects. This becomes a weakness for the application since any endpoint that forgets to check for authorization can easily become abused. Finding these targets is not particularly complex nor takes much effort to take attack. Previous bug bounties for this vulnerability type include a $20,000 bug bounty from GitLa and a $2500 bug bounty from Shopify.
I will be looking at a recent disclosure of an IDOR HackerOne user high_ping_ninja found on a Reddit endpoint earning a $5000 bug bounty.
I’m going to go over a recently disclosed and fixed bug found by HackerOne user high_ping_ninja on the social media site Reddit. The