Security - Authorization Beginner 5 possible tests

IDOR

You are logged in as Bob. Change the card ID in the request and see whose data you can access.

👤

bob | user_id: 2 | role: user Your own card is ID 2. Any other ID belongs to someone else.

What is IDOR?

Insecure Direct Object Reference occurs when an application exposes internal identifiers - like database record IDs - in URLs or parameters, and does not verify that the requesting user has permission to access that specific object.

What is hidden here

True Negative	Accessing your own card (ID 2) returns your data - expected
Bug Found	Accessing IDs 1, 3, 4, 5 returns other users' cards with no ownership check
True Positive	Accessing a non-existent ID (e.g. 99) returns 404
True Positive	Negative or zero IDs are rejected as invalid
Bug Found	Sequential ID enumeration exposes the full user list

Probe Card IDs

QUICK ACCESS

MANUAL

GET /qa-sandbox/idor/?id=2

owner

title

phone

company

Click ID: 2 (yours) - your own card, access expected (true negative)
Click ID: 1 through ID: 5 (except 2) - each returns another user's card (bug found)
Click ID: 99 - record does not exist, 404 returned (true positive)
Click ID: -1 - invalid range, rejected (true positive)
Enumerate IDs 1-5 in order to enumerate the full user list - this is the real-world attack
In Postman: GET /qa-sandbox/idor/?id=3 - no auth headers needed, the bug requires no credentials
In Postman: use Collection Runner with variable id from 1 to 10 to automate enumeration