IDOR on API endpoints.

Hey guys,

I’m here to share my recent finding on a website which pulls me to pen down my first post. I can not disclose the name of the company because of the Non-Disclosure Agreement(NDA). So I’ll be using for references.

.       .      .       .      .


I found out that while requesting an endpoint of an API, there was a lack of access control policy(Broken Access Control), which leads me to edit/delete the work experience and educational details of any user without their permission.


What is IDOR?
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

.       .      .       .      .


So, I was testing from last 3 days. I found out some bugs which include Cross-site scripting, Rate limiting etc. I was not satisfied with what I had. So I start digging out for more. After an hour of searching, my eyes got stuck on a response of an API request, which was:


Work creation Response


You can clearly see, this response includes an ‘id’ parameter (id”:2150). This took my attention.
This response was generated because I added a work experience to the profile on The original request was:


Work creation Request


Now I started fuzzing to that location. I tried a few things like creating a work experience of another user by adding some parameters in JSON, inside the body of the request but nothing happened.
I was about to move from this endpoint but suddenly I thought about checking the delete functionality of the work experience. I deleted the work experience on my profile and captured the request:


Delete Request of work experience.


Now I think you have also caught that interesting parameter in that URL. The method was DELETE and URL was
That number(‘2150′) in the request again took my attention. Now see the response of the above request:


Delete Response of work experience.


The response contains the status code204’ No Content. Which means that the work experience was deleted successfully and there was no content at that location.
Now I created another account again followed the above steps. I added a work experience to this profile. The request was:


Request for Creating work [2nd Account]

The response had something which again calls my previous thoughts.



Here “id”=2151 which was successor number of the previous work experience which I had created with my first account. Now I got to know that this was going uniformly. Now from the first account I again created another work experience. Now the idea was to check for IDOR vulnerability. So, I tried to delete the work experience of the 2nd account by using the request of the first account. Make sure that you remember the creation id(2150) of the first work experience.
Deletion Request from my first account was:


Deletion Request from my first account.


In the above Request, I changed the value of the id from 2150 to 2151.
The response was:






So, I had just deleted the work experience of my 2nd account with my first account. Again, I tried the same for adding educational details on the website.

Luckily, I got succeeded again.

.       .      .       .      .


I could have edited/deleted the work experience and educational details of the entire user registered on that website without any permission.


  • Must see the response of API endpoints with parameters.
  • If some number is passing in the API then you must try to fuzz the endpoint and look for IDOR.

.       .      .       .      .


This website I had tested during my internship.
So, yes I did not get any special bounty.


For more on IDOR you can follow some links: on BugCrowd, portswigger and OWASP.

Thank you for reading so far.
Hope you have learned something.

In case you want to reach out, here’s where you can find me.
Twitter: @abhiunix
Linkedin: @abhiunix

Link to my Medium Post:

Books which I recommend:


Buy Me A Coffee