IDORs, let's first explain what they are before deep diving into how to find them and believe me that it will be deep. Insecure Direct Object References exist of 2 things, we have our direct object reference which means as much as id=1. We are directly pointing to an object and this can be anything. It can be an invoice, address, credit card,... The insecure part references to the fact we can sometimes access objects that are not supposed to be access by you. If these conditions are met we speak of an IDOR. But how does the server know what you should access and what not? Let's get right into it!
We should make the distincation between authentication and authorisation. As a user i can either be authenticated or unauthenticated. This means that i can be logged in or not and the authentication part refers that i authenticated myself with my username and password or any other security system such as biometrics or a PIN code. I can also be authorised which means that the server will allow me to perform an action (like grabbing an object's details).
The reason i want to talk about the attack scenario's is because they can be pretty diverse as you saw above! First of all we can try to access an object unauthenticated, which means not logged in and try to go to a URL like GET /invoices?id=432. Please not i only talk about GET parameters here but it can also be a POST request or a PUT or DELETE and even PATCH request as well. as long as an object identifier can be used, it might be vulnerable to IDORs.
Besides this, we might also be plagued by authenticated IDORs where we are logged in and trying to actually grab a resource we should be able to access like /invoices but we are trying to grab an object on the resource that is not accesible to us normally.
Now that we are logged in however we need to define another attack scenario that has been rising due to companies sharing a server between multiple clients. In some applications like HR applications or invoicing applications that are marketed to businesses (b2b). These applications have two different attack scenario's: