IDOR Writeups

1. http://incidentsecurity.com/how-spending-our-saturday-hacking-earned-us-20k/
2. https://appsecure.security/blog/how-i-could-have-hacked-your-uber-account
3. https://blog.usejournal.com/a-less-known-attack-vector-second-order-idor-attacks-14468009781a
4. https://daleys.space/writeup/0day/2019/09/09/verizon-leak.html
5. https://evanricafort.blogspot.com/2019/08/read-other-user-support-tickets-in.html
6. https://fadhilthomas.github.io/bug-bounty-tokopedia-01-en/
7. https://footstep.ninja/posts/exploiting-self-xss/
8. https://footstep.ninja/posts/idor-via-email/
9. https://footstep.ninja/posts/idor-via-http/
10. https://footstep.ninja/posts/idor-via-websockets/
11. https://gauravnarwani.com/priv-esc-highest-admin/
12. https://georgeosterweil.com/2019-02-20-fbctf-idor/
13. https://gh0st.cn/archives/2019-10-01/1
14. https://hailstorm1422.com/linkedin-blind-idor/
15. https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d
16. https://medium.com/@Vibhurushi_Chotaliya/idor-payment-fraud-99d330879c0d
17. https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240
18. https://medium.com/@avinash_/disclosure-of-pending-roles-for-any-facebook-page-ab6e4e219f8e
19. https://medium.com/@hariharan21/idor-leads-to-project-takeover-548a1bfd4d66
20. https://medium.com/@kedrisec/publish-tweets-by-any-other-user-6c9d892708e3
21. https://medium.com/@masonhck357/chains-on-chains-chaining-several-idors-into-account-takeover-part-one-373627f2910f
22. https://medium.com/@mdhridoy_4607/1st-bounty-story-rewarded-300-idor-bc4e1708e8e0
23. https://medium.com/@mr_hacker/a-5000-idor-f4268fffcd2e
24. https://medium.com/@noob.assassin/idor-in-one-plus-leads-to-leak-user-personal-info-e7e07729dc5
25. https://medium.com/@np20121996/how-was-i-able-to-find-privilege-escalation-b13366b97706
26. https://medium.com/@pratyush1337/edm0d0-idor-vulnerabilities-95ca8600ee1c
27. https://medium.com/@pratyush1337/inf0rm-tion-disclosure-via-idor-20f1ba5aa508
28. https://medium.com/@pratyush1337/inf0rm-tion-disclosure-via-idor-cff5541a9232
29. https://medium.com/@princechaddha/account-takeover-on-airbnb-acquisition-an-unusual-bug-part-2-45fab11dc407
30. https://medium.com/@protector47/password-reset-vulnerability-full-account-takeover-insecure-direct-object-reference-c4a9a3ea8268
31. https://medium.com/@rajasudhakar/how-i-could-delete-facebook-ask-for-recommendations-posts-place-objects-in-comments-b7c9bcdf1c92
32. https://medium.com/@rohan_x3/edmodo-idor-to-view-private-files-of-any-class-2280676c84b8
33. https://medium.com/@rupika.luhach/how-i-was-able-to-extract-information-of-other-users-exploiting-idor-9f03aa72dd06
34. https://medium.com/@saadahmedx/accidental-idor-8987a2728d4
35. https://medium.com/@saadahmedx/idor-account-takeover-1ff5a2d03b8b
36. https://medium.com/@sahruldotid/antihack-idor-on-create-submission-ddb3cf40c26b
37. https://medium.com/@sakyb7/tale-of-account-takeover-sensitive-info-disclosure-broken-access-control-cea0a5e3a1fd
38. https://medium.com/@swapmaurya20/a-simple-idor-to-account-takeover-88b8a1d2ec24
39. https://medium.com/@vis_hacker/how-i-was-able-to-pwned-30000-users-webhook-d26dc3420703
40. https://medium.com/@zseano/easily-leaking-passenger-information-on-an-airline-18f99b22cf95
41. https://medium.com/a-bugz-life/the-bugs-are-out-there-hiding-in-plain-sight-12d056613ea3
42. https://medium.com/bugbountywriteup/a-simple-bypass-of-registration-activation-that-lead-to-many-bug-a-story-about-how-my-friend-5df0889f1062
43. https://medium.com/bugbountywriteup/accidental-idor-that-deleted-admin-account-d51264292b66
44. https://medium.com/bugbountywriteup/account-takeover-using-idor-and-the-misleading-case-of-error-403-cb42c96ea310
45. https://medium.com/bugbountywriteup/disclose-private-attachments-in-facebook-messenger-infrastructure-15-000-ae13602aa486
46. https://medium.com/bugbountywriteup/how-i-gained-access-to-revenue-and-traffic-data-of-thousands-of-shopify-stores-b6fe360cc369
47. https://medium.com/bugbountywriteup/how-i-unlocked-the-blocked-accounts-545e9b7d7be1
48. https://medium.com/bugbountywriteup/stories-of-idor-4966369e6d82
49. https://medium.com/bugbountywriteup/stories-of-idor-part-2-29d313a39e55
50. https://medium.com/bugbountywriteup/vimeo-livestream-bug-bounty-writeup-13fd208b5f4f
51. https://medium.com/h4x00r/my-very-first-bug-a-dreaded-dupe-and-then-an-idor-jackpot-d01b69f6fbae
52. https://philippeharewood.com/download-arexport-files-for-any-public-ar-studio-effect/
53. https://philippeharewood.com/removing-profile-pictures-for-any-facebook-user/
54. https://vict0ni.me/changing-userID-leads-to-data-leak/
55. https://websecblog.com/vulns/google-earth-studio-vulnerability/
56. https://websecblog.com/vulns/listing-email-addresses-on-google-crisis-map/
57. https://whitehathaji.blogspot.com/2019/07/paypal-bug-10k-all-secondary-users.html
58. https://www.amolbaikar.com/determine-users-with-detailed-role-model-on-behalf-of-any-facebook-application/
59. https://www.amolbaikar.com/disclose-full-admin-list-of-any-facebook-applications/
60. https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html
61. https://www.linkedin.com/pulse/hacking-youtube-fun-profit-alexandru-coltuneac/
62. https://www.rahulr.in/2019/10/idor-to-rce.html?m=1
63. https://www.tomanthony.co.uk/blog/facebook-bug-confirm-user-identities/
64. https://ysamm.com/?p=171
65. https://ysamm.com/?p=240
66. https://ysamm.com/?p=291
67. https://ysamm.com/?p=314
68. https://ysamm.com/?p=60