EncryptCodecencryptcodec
Simulations/IDOR

Insecure Direct Object Reference

Beginner

Change an order ID in the URL to read another user's data. IDOR is OWASP's #1 Broken Access Control — no hacking needed, just increment a number.

Progress:
1
Access Another User's Order
2
Read an Admin Invoice
3
Mass Assignment — Escalate Your Role
⚡ Request
Endpoint
GET /api/orders/1042
🛡 Server Protection
Response log
Waiting for request…

Challenges

1
Access Another User's Order
You are logged in as alice. Request order 1043 (bob's order) and read his purchase.
hints
2
Read an Admin Invoice
Switch to the Invoices endpoint. Guess INV-0001 to access the admin's invoice.
hints
3
Mass Assignment — Escalate Your Role
Switch to the Profile endpoint. Send a PATCH with {"role":"admin"} in the body.
hints
How to fix IDOR
ownership checks, attribute allowlists, UUID randomisation

Frequently Asked Questions