IDOR Lab

#1 LEVEL 1 — BEGINNER

URL Path IDOR — /profile/{id}

Server fetches user data by the numeric ID in the URL path with no ownership check.

Logged in as: alice (ID: 1001) — Change the ID to access other profiles

// REQUEST BUILDER

METHODGET

PATH/profile/

server response

Click SEND to test...

#2 LEVEL 1 — BEGINNER

Query String IDOR — ?user_id=

User ID passed as a query parameter. No server-side ownership verification.

Your account: ?user_id=1001 — Modify the parameter

user_id

server response

Click SEND to test...

#3 LEVEL 1 — BEGINNER

Sequential Order IDs — ORD-001, ORD-002...

Predictable order ID pattern. Trivially enumerable across all users.

ORDER IDORD-

server response

Click SEND to test...

#4 LEVEL 1 — BEGINNER

Incremental Numbers — /docs/1, /docs/2...

Auto-increment IDs. Every document is reachable by any user.

DOC ID

server response

Click SEND to test...

#5 LEVEL 2 — INTERMEDIATE

POST Body IDOR — user_id in form data

Server trusts user_id in POST body to decide which account to modify.

// POST BODY (form-encoded)

user_id

phone

server response

Click SEND to test...

#6 LEVEL 2 — INTERMEDIATE

JSON Body IDOR — {"user_id": 123}

JSON body contains the user identity. Server blindly trusts client-supplied ID.

// JSON REQUEST BODY

server response

Click SEND to test...

#7 LEVEL 2 INTERMEDIATE

Base64 Encoded IDOR — /user/MTAwMQ==

ID is Base64 encoded — looks cryptic but is trivially decodable by anyone.

USER ID

ENCODED

decoded + response

Click SEND to test...

#8 LEVEL 2 — INTERMEDIATE

Hidden Form Field IDOR

Hidden <input> carries user_id. Not visible in browser, but fully editable via devtools.

// HTML FORM (simulated)

STREET

CITY

server response

Click SEND to test...

#9 LEVEL 3 — ADVANCED

Custom HTTP Header — X-User-ID: 123

Server trusts X-User-ID header sent by client for authorization decisions.

// HTTP HEADERS

Authorization

X-User-ID

X-Forwarded

server response

Click SEND to test...

#10 LEVEL 3 — ADVANCED

Cookie IDOR — user_id in unsigned cookie

user_id stored in plain cookie. No signing, no HttpOnly. Freely editable.

// BROWSER COOKIES

session_id

user_id

role

server response

Click SEND to test...

#11 LEVEL 3 — ADVANCED

JWT Payload Manipulation — alg:none

Server decodes JWT but doesn't verify signature when alg=none.

// JWT TOKEN PARTS

HEADER PAYLOAD SIGNATURE

sub

role

alg

decoded + response

Click SEND to test...

#12 LEVEL 3 — ADVANCED

OAuth Token — embedded user_id

Access token encodes user_id in plaintext. Server extracts without verifying binding.

access_token

server response

Click SEND to test...

#13 LEVEL 3 ADVANCED

Referer Header — auth bypass

Server checks Referer to grant access. Trivially spoofable from any client.

Referer

Target

server response

Click SEND to test...

#14 LEVEL 3 — ADVANCED

GraphQL IDOR — resolver no auth

GraphQL resolver accepts any user(id:) without checking session ownership.

// GRAPHQL QUERY

graphql response

Click EXECUTE to test...

#15 LEVEL 3 — ADVANCED

WebSocket IDOR — target_user in message

WS message payload contains target_user. Server forwards without authorization check.

// WEBSOCKET MESSAGE

websocket response

Click SEND to test...

#16 LEVEL 4 — EXPERT

UUID/GUID IDOR — predictable or leaked

UUIDs look random but v1 (time-based) UUIDs are guessable. Sequential suffix exposed.

UUID

server response

Click SEND to test...

#17 LEVEL 4 — EXPERT

Filename IDOR — /files/user1001_report.pdf

Files named with user IDs. Guess the filename, access any user's data.

FILENAME

server response

Click SEND to test...

#18 LEVEL 4 — EXPERT

API Endpoint Enumeration

Enumerate order IDs sequentially. No rate limiting or cross-user access control.

ORDER ID

response / enumeration log

Click SEND to test...

#19 LEVEL 4 — EXPERT

Bulk Operations IDOR — inject IDs in array

Bulk API processes all IDs. Attacker injects other users' IDs into the array.

server response

Click SEND to test...

#20 LEVEL 4 — EXPERT

Nested JSON IDOR — {"order": {"user_id": 123}}

user_id buried inside nested structure. WAFs and shallow checks often miss it.

server response

Click SEND to test...

#21 LEVEL 4 — EXPERT

Array Parameter IDOR — ?user_id[]=1&user_id[]=2

Server iterates array without per-element ownership check.

user_id[]

server response

Click SEND to test...

#22 LEVEL 4 — EXPERT

Admin Panel IDOR — /admin/users/{id}

Checks isLoggedIn() but not isAdmin(). Any authenticated user reaches admin pages.

PATH/admin/users/

SESSION

server response

Click SEND to test...

#23 LEVEL 4 — EXPERT

API Key IDOR — /api/keys/{id}

API key IDs are sequential. Retrieve or delete any user's production API key.

KEY ID

server response

Click SEND to test...

#24 LEVEL 4 — EXPERT

Predictable Reset Token — MD5(uid+timestamp)

Reset token derived from user_id + timestamp. Brute-forceable for any account.

USER ID

TIMESTAMP

TOKEN

server response

Click SEND to test...

#25 LEVEL 4 — EXPERT

Sequential Invoice URLs — /invoice/INV-0042.pdf

Sequential numbering exposes every company's financial records.

INVOICE #

server response

Click SEND to test...

#26 LEVEL 4 — EXPERT

Chat Message IDOR — /messages/{id}

Sequential message IDs. Read anyone's private conversations.

MESSAGE ID

server response

Click SEND to test...

#27 LEVEL 4 — EXPERT

Role/Subscription Escalation — role_id=1 → 3

Change role_id to jump from Free to Enterprise without paying.

role_id=1

Free Plan

5 req/day

role_id=3

Enterprise

Unlimited

USER ID

ROLE ID

server response

Click SEND to test...

#28 LEVEL 4 — EXPERT

Hashed ID IDOR — MD5(user_id)

MD5 hash of a small integer is reversible in milliseconds via rainbow tables.

USER ID

HASH

server response

Click SEND to test...