Ultimate IDOR Testing Checklist

Phase 1: Setup & Target Identification

[ ] Create Test Accounts: Create two accounts (Attacker and Victim) for safe testing of destructive requests (POST/PUT/DELETE).
[ ] API Identification: Find JSON endpoints over rendered HTML.
[ ] Sensitivity Analysis: Target critical functions first (password reset, account recovery, financial data, DMs, user management).
[ ] ID Audit: Check if endpoint is private or public and contains any kind of ID parameter.
[ ] ID Leakage: Check for IDs leaked via other API endpoints or public pages (public profile pages, listings).
[ ] Map Clients: Collect web/mobile clients, open APIs from decompiled mobile (jadx/apktool), and swagger/openapi if present.

Phase 2: Direct ID Substitution & Enumeration

Technique	Scenario to Test (Attacker ID=10, Victim ID=9)
Basic ID Flip	`GET /api/v5/users/10` -> `GET /api/v5/users/9`
Incremental Numeric Brute Force	Loop over sequential numeric IDs (decrement/increment from own ID).
Non-Numeric ID Substitution	Replace param with email / username / UUID.
Complex ID Brute Force	Brute force short alphanumeric segments (last 1–4 chars).
Predictable ID / Combined ID	`/user/2222/data/3333` — change one or both parts.
Hashed/Derived IDs (MD5/SHA1 pattern)	Detect hashed IDs, create accounts to infer mapping, try replacing derived hashes.

Phase 3: Path and URL Manipulation Bypasses

Technique	Scenario to Test (Attacker ID=10, Victim ID=9)
Trailing Slash	`GET /api/v5/users/9` -> `GET /api/v5/users/9/`
Double Slashes / Obfuscated Path	`GET /api/v5/users//9` or `GET /api/v5/users/./9`
Case Variation / Key Swapping	`/api/User?id=123` vs `/api/user?id=123` or `user_id` ↔ `userid`
Path Traversal / Mixed Paths	`POST /users/delete/my_id/../victim_id`
Wildcard Substitution	`GET /api/users/*` or `GET /api/users/user_id`
Fuzz Keywords in Path	`GET /api/v3/users/12345` -> `/api/v3/users/all`
SQLi Quick Check	`GET /api/v3/users/12345'`

Phase 4: Logic & Endpoint Bypasses

Technique	Scenario to Test
Version Downgrading	`GET /v3/user/111` -> `GET /v1/user/111`
Sub-Endpoint Variant	Full profile endpoint vs less-protected detail endpoint
Missing Function Level Access / Case Variants	`GET /admin/profile` -> `GET /Admin/profile`
Owner Flag / Role Field Differences	Look for `"owner": true/false`, `"is_admin"`, role fields returned in body and try to toggle via params or token swap.
Token / Authorization Swap	Replace `access_token`/API key with victim's or other known tokens (or swap attacker token for victim token in request) to test token-scoped checks.
Cached Role Check / Session Race	Logout/login, change roles, re-test to detect cache-based false-negatives.
Token Binding Flaws	Tokens (e.g., unsubscribe tokens, action tokens) are validated for structure and expiry but not bound to a specific resource (resource_id / page_id / email). Test by reusing a valid token issued for resource A against resource B. Example: `POST /unsubscribe?token=<valid_token_for_user_A>&page_id=B` — if server accepts token without checking binding, action succeeds.
Frontend–Backend Desync / Logic Mismatch	Frontend hides or restricts certain IDs or operations, but backend endpoints accept those IDs without verifying resource ownership. Test by sending requests with IDs that the frontend never exposes (or disables) and see if backend performs the action. Example: UI shows tasks for user=10 only, but `POST /deleteTask` with `taskId=11` deletes another user's task if backend lacks owner check.

Phase 5: Parameter & Body Abuse

Technique	Scenario to Test (Attacker ID=10, Victim ID=9)
Add Parameter Bypass	`GET /api_v1/messages` -> `?user_id=victim_uuid`
Multi-ID / Comma Separation	`GET /api/users?id=10,9`
Alternate Separators	`{"Account": 2222;1111}` or `2222.1111`
HTTP Parameter Pollution (HPP)	`?user_id=10&user_id=9`
JSON Array Wrap	`{"userid":[123]}`
JSON Object Wrap (Nested)	`{"userid":{"userid":123}}`
JSON Parameter Pollution	`{"userid":1234,"userid":2542}`
Null Termination (%00)	`GET /api/users/9%00`
Control Char Encoding (CR/LF)	`%0d%0a` inside JSON or param
Replace Parameter Name	`album_id` -> `account_id`
Multi-ID Injection (Batch IDs)	`{"ids":[111,222,333]}` — include victim id among attacker ids to see leakage.
Deserialization / Object Injection	Send an object in place of a primitive ID or crafted serialized payload to influence server-side deserialization logic (e.g., `{"user": {"id": 9, "role": "admin"}}` or sending a serialized protobuf/object). Test by replacing `user_id=9` with `user={"id":9}` or sending crafted object payloads. Servers that blindly accept deserialized objects may map them to existing objects or honor fields leading to IDOR or privilege escalation. Example: `POST /api/profile/update` with body `{"user":{"id":9,"notify":true}}` might operate on victim's profile if backend trusts deserialized object without owner check.