BIPI
BIPI

Finding IDORs That Pay: Patterns, Predictable IDs, Multi-Tenant Leaks

Cybersecurity

IDORs still dominate bounty payouts because tenancy checks lag behind feature velocity. This guide maps the patterns that surface real money, from predictable integer IDs to UUID leakage in webhooks, and shows the heuristics that turn a tester into a hunter.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 2, 2023 · 10 min read

#idor#bug-bounty#authorization#multi-tenant#api-security

Why IDORs Still Pay

Insecure Direct Object References live at the gap between authentication and authorization. Auth says you are logged in. Authorization says which row you may read. When the second check is missing or weak, an integer in a URL becomes a leak.

Bug bounty triage queues are full of IDORs because every new endpoint is a new authorization decision, and teams often ship without writing one.

Predictable IDs Are Still Everywhere

  • Sequential integers in invoice, order, ticket, and message endpoints
  • Short base62 IDs that look random but enumerate in minutes
  • Hashids and other reversible encodings with leaked salts
  • Timestamps embedded in object IDs that narrow the search space

Turbo Intruder can sweep a 200k range in a minute. Filter on response length, status, and JSON keys to find anomalies fast.

Tenant Boundary Bugs

Multi-tenant SaaS often scopes by tenant_id in the JWT, then forgets to enforce it in a side endpoint. Watch for export, share, search, and reporting routes.

  • Cross-tenant reads via shared cache keys
  • Search endpoints that bypass row-level security
  • PDF and CSV exporters with no tenant filter
  • Webhook replay endpoints that fetch by raw ID

UUIDs Are Not a Control

UUIDs reduce guessing but leak through referer headers, public webhooks, signed share links, and team activity feeds. Once leaked, the endpoint still must authorize.

Method Switching

GET may enforce ACL while PATCH does not. Try DELETE, PUT, and PATCH with the same path. Watch for 405 versus 403, both are useful signals.

Verb Tampering and Mass Assignment

Send role, owner_id, tenant_id, is_admin in the body even when the form does not expose them. Many backends accept the field and skip validation.

Burp Workflow That Finds IDORs Fast

  1. Log in as two users in separate Burp sessions
  2. Walk the app as user A with Logger++ recording
  3. Replay every request as user B with Autorize or Auth Analyzer
  4. Diff response sizes and status codes for anomalies

Reporting That Gets Paid

Show the cross-account impact with two screenshots: user B fetching user A's data. Quantify the blast radius, count of records, sensitivity, and remediation path.

Predictable IDs are not the bug. Missing authorization is the bug. IDs just make it cheap to find.

Defender Notes for Your Report

  • Enforce row-level checks in the data layer, not the controller
  • Add tenant_id to every query and assert it in tests
  • Log denied accesses and alert on enumeration patterns
  • Use opaque per-tenant IDs for shared resources

Closing

IDORs reward patience and a clean two-account workflow. The hunters who win are the ones who methodically replay every request as the second user and read every byte of the diff.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.