Hi Friends,
I have seen most of the newly started bug hunters asking for Writeups of the vulnerability on social media to understand the concept. So they can also apply that method to get a bug on the website/App.
The same thing I also do 😅in my started journey. So I can understand your problem.
The same thing I also do 😅in my started journey. So I can understand your problem.
So I decided to put all bug writeups in one place. Below is the list of IDOR writeups written by a worldwide bug bounty hunter.
List of IDOR writeups:
- CSRF with IDOR - A Deadly Combo
- API based IDOR to leaking Private IP address of 6000 businesses
- Sensitive data leak using IDOR in integration service
- Chaining password reset link poisoning, IDOR, and information leakage to achieve account takeover at api.redacted.com
- How i could take over any Account on a USA Department of Defense Website due to a simple IDOR
- Accidental Observation to Critical IDOR
- 6k$ Worth Account Takeover via IDOR in Starbucks Singapore
- The Art of IDOR: 7 IDORs in Edm0d0
- PII Leakage via IDOR + Weak PasswordReset = Full Account Takeover
- #Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$
- Account Takeover via IDOR
- A Simple IDOR which should not be missed on dating site
- Idor in google product
- Taking Over Files in a chat - IDOR in Microsoft Teams
- All About Getting First Bounty with IDOR
- [IDOR] Delete saved credit cards from any Business Manager Account - Facebook Bug Bounty
- IDOR in session cookie leading to Mass Account Takeover
- Chaining an IDOR with a business-logic error to achieve critical impact
- Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs
- A Simple IDOR to Account Takeover
- Accidental IDOR that Deleted Admin Account.
- A Less Known Attack Vector, Second Order IDOR Attacks
- Story of an IDOR via HTTP
- Exploiting a Self Stored XSS with an IDOR
- GraphQL IDOR leads to information disclosure
- HTTP Request Smuggling + IDOR
- IDOR via Websockets
- Stories Of IDOR-Part 2
- Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE)
- Stories Of IDOR
- 1st Bounty Story | Rewarded 300$ (IDOR)
- Story of an IDOR via Email
- Accidental IDOR
- IDOR: Payment Fraud
- IDOR — Account Takeover
- Account takeover using IDOR and the misleading case of error 403.
- IDOR Leads To Project Takeover
- A $5000 IDOR…
- Edmodo — IDOR to view private files of any class
- EdM0d0 IDOR Vulnerabilities
- My very first bug: a dreaded dupe and then an IDOR jackpot!
- Bug Writeup: FBCTF IDOR
- How I was able to Extract Information of Other Users- Exploiting IDOR
- AntiHack IDOR on Create Submission
- How I was able to delete Google Gallery Data [IDOR]
- Change Anyone’s profile picture-Exploiting IDOR
- IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”}
- Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR)
- IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent
- IDOR User Account Takeover By Connecting My Facebook Account with victims Account
- IDOR FACEBOOK: malicious person add people to the “Top Fans”
- YAHOO IDOR -elimination of any comment
- IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo
- Gsuite Hangouts Chat 5k IDOR
- How I was able to see any private album passwrod in Picturepush — IDOR
- How i HACKED admin account via password reset IDOR function of one private currency exchanger site
- Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile
- How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program
- IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks
- How I found IDOR on Twitter’s Acquisition – Mopub.com
- Abusing internal API to achieve IDOR in New Relic
- How I Pwned a company using IDOR & Blind XSS
- Taking over every Ad on OLX (automated), an IDOR story
- IDOR – Execute JavaScript into anyone account
- IDOR on HackerOne Hacker Review “What Program Say”
- Developer Luminate IDOR
- Insecure Direct Object Reference In Facebook Events
- IDOR While Connecting Social Account in Hackster.io
- How a simple IDOR become a $4K User Impersonation vulnerability
- Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages
- IDOR in Facebook’s Acquisition (Parse)
- Access developer tasks list of any Facebook Application (GraphQL IDOR)
- $4300 Instagram IDOR Bug (2022)
- Another day, Another IDOR vulnerability - $5000 Reddit Bug Bounty
If you want to submit your writeups in the list. Submit Here