> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/bypass/access-control/trick-0375.md).

# IDOR Exploitation Via URL Parameter

***

Inspect URLs for parameters controlling resource access (e.g., `id`, `data`). Systematically change the parameter's value to bypass authorization checks and potentially access resources intended for others.

For example, if you see a URL like:

```
GET /resource?id=123
```

Try changing the `id` parameter to other values such as `124`, `1`, `0`, or increment/decrement from the original value. Similarly, if a parameter like `/resource?data=config` is used, changing it to something like `/resource?data=0` could reveal different files or data, such as a `.pcap` network capture file as observed in some cases.

Authorization Bypass through URL Manipulation, also known as Insecure Direct Object Reference (IDOR), occurs when a web application allows a user to access resources (like records, files, or data) by simply changing the value of a parameter in the URL. This is a type of access control vulnerability that arises when an application uses user-supplied input to access an object directly, such as a database record, file, or static resource.

Consider a URL like:

```
http://example.com/profile.php?userid=123
```

An attacker could attempt to access another user's profile by changing the `userid` parameter value, for example, to `456`:

```
http://example.com/profile.php?userid=456
```

Similarly, in an HTTP GET request targeting user profiles:

```
GET /profile?user_id=123 HTTP/1.1
Host: example.com
```

Changing the `user_id` parameter to a different value, such as `456`, might allow access to the profile of user 456:

```
GET /profile?user_id=456 HTTP/1.1
Host: example.com
```

Another common scenario involves accessing account details. An HTTP request might look like this:

```
GET /account?customer_number=12345 HTTP/1.1
Host: insecure-website.com
Cookie: session=...
```

By changing the `customer_number` parameter from `12345` to `12346`, an attacker could potentially view the account details of customer 12346, assuming inadequate access control checks:

```
GET /account?customer_number=12346 HTTP/1.1
Host: insecure-website.com
Cookie: session=...
```

This technique, known as Parameter Tampering, involves manipulating parameters exchanged between client and server. It can be performed using tools like `curl` to directly send modified requests. For instance, to view an account with ID `123`:

```bash
curl "http://example.com/view_account?account_id=123"
```

To attempt viewing an account with ID `456` by tampering with the `account_id` parameter:

```bash
curl "http://example.com/view_account?account_id=456"
```

Parameter tampering is not limited to GET requests and can also involve changing parameters in POST requests or hidden form fields.
