Top 50+ Bug Hunter IDOR List Writeups - Thebughacker

 IDOR bug writeup


Hi Friends,
I have seen most of the newly started bug hunters asking for Writeups of the vulnerability on social media to understand the concept. So they can also apply that method to get a bug on the website/App. 

The same thing I also do 😅in my started journey. So I can understand your problem. 

So I decided to put all bug writeups in one place.  Below is the list of IDOR writeups written by a worldwide bug bounty hunter. 


List of IDOR writeups: 

  1. CSRF with IDOR - A Deadly Combo 
  2. API based IDOR to leaking Private IP address of 6000 businesses
  3. Sensitive data leak using IDOR in integration service
  4. Chaining password reset link poisoning, IDOR, and information leakage to achieve account takeover at api.redacted.com
  5. How i could take over any Account on a USA Department of Defense Website due to a simple IDOR
  6. Accidental Observation to Critical IDOR
  7. 6k$ Worth Account Takeover via IDOR in Starbucks Singapore
  8. The Art of IDOR: 7 IDORs in Edm0d0
  9. PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover
  10. #Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$
  11. Account Takeover via IDOR
  12. A Simple IDOR which should not be missed on dating site
  13. Idor in google product
  14. Taking Over Files in a chat - IDOR in Microsoft Teams
  15. All About Getting First Bounty with IDOR
  16. [IDOR] Delete saved credit cards from any Business Manager Account - Facebook Bug Bounty
  17. IDOR in session cookie leading to Mass Account Takeover
  18. Chaining an IDOR with a business-logic error to achieve critical impact
  19. Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs
  20. A Simple IDOR to Account Takeover
  21. Accidental IDOR that Deleted Admin Account.
  22. A Less Known Attack Vector, Second Order IDOR Attacks
  23. Story of an IDOR via HTTP
  24. Exploiting a Self Stored XSS with an IDOR
  25. GraphQL IDOR leads to information disclosure
  26. HTTP Request Smuggling + IDOR
  27. IDOR via Websockets
  28. Stories Of IDOR-Part 2
  29. Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE)
  30. Stories Of IDOR
  31. 1st Bounty Story | Rewarded 300$ (IDOR)
  32. Story of an IDOR via Email
  33. Accidental IDOR
  34. IDOR: Payment Fraud
  35. IDOR — Account Takeover
  36. Account takeover using IDOR and the misleading case of error 403.
  37. IDOR Leads To Project Takeover
  38. A $5000 IDOR…
  39. Edmodo — IDOR to view private files of any class
  40. EdM0d0 IDOR Vulnerabilities
  41. My very first bug: a dreaded dupe and then an IDOR jackpot!
  42. Bug Writeup: FBCTF IDOR
  43. How I was able to Extract Information of Other Users- Exploiting IDOR
  44. AntiHack IDOR on Create Submission
  45. How I was able to delete Google Gallery Data [IDOR]
  46. Change Anyone’s profile picture-Exploiting IDOR
  47. IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”}
  48. Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR)
  49. IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent
  50. IDOR User Account Takeover By Connecting My Facebook Account with victims Account
  51. IDOR FACEBOOK: malicious person add people to the “Top Fans”
  52. YAHOO IDOR -elimination of any comment
  53. IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo
  54. Gsuite Hangouts Chat 5k IDOR
  55. How I was able to see any private album passwrod in Picturepush — IDOR
  56. How i HACKED admin account via password reset IDOR function of one private currency exchanger site
  57. Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile
  58. How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program
  59. IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks
  60. How I found IDOR on Twitter’s Acquisition – Mopub.com
  61. Abusing internal API to achieve IDOR in New Relic
  62. How I Pwned a company using IDOR & Blind XSS
  63. Taking over every Ad on OLX (automated), an IDOR story
  64. IDOR – Execute JavaScript into anyone account
  65. IDOR on HackerOne Hacker Review “What Program Say”
  66. Developer Luminate IDOR
  67. Insecure Direct Object Reference In Facebook Events
  68. IDOR While Connecting Social Account in Hackster.io
  69. How a simple IDOR become a $4K User Impersonation vulnerability
  70. Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages
  71. IDOR in Facebook’s Acquisition (Parse)
  72. Access developer tasks list of any Facebook Application (GraphQL IDOR)
  73. $4300 Instagram IDOR Bug (2022)
  74. Another day, Another IDOR vulnerability - $5000 Reddit Bug Bounty

If you want to submit your writeups in the list. Submit Here
Previous Post Next Post

Contact Form