My first IDOR on hackerone

Hello all… Today, I will be sharing with you how I discovered an IDOR vulnerability on a government website.

So what is IDOR?

Insecure Direct Object Reference (IDOR) vulnerabilities are a common security flaw in which applications unintentionally expose sensitive internal objects such as files, databases, and user details.

Lets see what I found and How!

While searching on Shodan, I stumbled upon an IP address that belonged to the government of Singapore. From there, I discovered the domain example, and began looking for subdomains, eventually using the Firefox extension “Open multiple URL” to open them all at once.

While browsing the tabs, I discovered a sign-up page in a subdomain for users and created an account to access the dashboard. However, when I clicked on “My profile” it took me to the profile of the superadmin with an ID of “/profile/edit/1” where I could view personal details such as email, address, phone number, and location,

but not edit them :(

After experimenting with different ID values, I eventually found my own profile at “/profile/edit/52”. Still I quickly reported this vulnerability to the main domain’s “Report vulnerability” link on HackerOne and got accepted :)

This is a short summary of how I found an IDOR vulnerability. Thank you for your time, and happy hunting! ❤



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store