This article is based on how I found an IDOR vulnerability on an Blog website which allowed me to get full access to the user's private posts. Let's assume this Blog website is redacted.com
While I looking for a bugs on a redacted.com, I came across to a page where we can create private blog means this blog are only seen by peoples who have password of this blog. So, I decided to find that can we see a post without password.
I continously testing each and every aspect to see private blog. Suddenly I noticed that one request is going to an server with parameter blog_name and which send all post as an response but wait, what if I change blog name to another private blog name and I create a new private blog with another account, and pass the new blog name on blog_name parameter in the captured request and guess what ? I succesfully able to see all posts of new blog. Voila !
The only thing attacker have to do is identifies victim's private blog name. And by identifying blog name attacker easily access all posts of particular blog.
This type of vulnerabilities allows an attacker to gain unauthorised access to data and steal private information of user's.
The application should perform an access control check to ensure the user is authorized for the request object or service. Whenever sending any data in response check whether this data is linked with current session user or not. Check in the data base that the data sent by the user is genuine and related with user only.