hub
- Insecure Direct Object Reference and is a type of access control vulnerability.
Example
- Try changing the user_id value to 1000 instead (http://online-service.thm/profile?user_id=1000), and to your surprise, you can now see another user’s information. You’ve now discovered an IDOR vulnerability.
- An attack known as parameter mining, you discover a parameter called user_id that you can use to display other users’ information, for example, /user/details?user_id=123.
Encoded IDs
- Encoding changes binary data into an ASCII string commonly using the
a-z, A-Z, 0-9 and =character for padding. The most common encoding technique on the web is base64 encoding and can usually be pretty easy to spot. - More IDs like Hashed are a little complicated but exist too.