Insecure Direct Object Reference
When the server trusts an ID in your request, changing it reaches data that isn't yours. Drill finding and proving that broken access control.
Identify a request parameter that references an object by id — a numeric record, a filename, a UUID. Change it to a value you shouldn't be able to access and read the response.
Confirm impact by retrieving another account's record, the evidence an IDOR actually crosses a trust boundary rather than just erroring. Variants change the identifier shape and the object exposed.
How the attack works
- Find a request that fetches an object by an identifier you can see.
GET /api/invoice?id=1042 - Decrement or enumerate the identifier to reach a record you don't own.
GET /api/invoice?id=1041 - Confirm the server returned another user's data instead of 403 / 404.
- Walk the range to show scope, then capture the flag from the exposed object.
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
Insecure Direct Object Reference
When the server trusts an ID in your request, changing it reaches data that isn't yours. Drill finding and proving that broken access control.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.