Task 1 of 5
Beyond the URL Bar
The beginner IDOR course showed you the simplest version: change a number in the browser URL bar, load someone else's data. That works — and it finds real bugs. But most modern applications hide their IDs somewhere your browser never shows you.
APIs don't load pages — they return data. The ID is in the request you send, not in an address bar you can edit. To tamper with it, you need to see the raw request and change it before it goes. That is exactly what the Interceptor is for.
THREE WAYS IDOR HIDES IN REAL APPS
In the URL path
/api/account/100001/statement
Visible in the address bar — the classic case. Easy to spot, easy to test.
In the URL as a query parameter
/api/orders?user_id=4291&export=pdf
Visible in the URL but often overlooked because it looks like a filter, not an access control.
In the API response itself
You load your profile. The response contains IDs of other users — friends, admins, order recipients. You use those IDs in the next request.
Hidden entirely. You only see it when you read the raw response body.
This module covers all three — starting with the one you already know, then showing you how the Interceptor handles the ones you can't reach from the browser alone.
1
Why can't you test API-based IDOR by just editing the browser address bar?
Answer 1 question to continue