An Insecure Direct Object Reference (IDOR) vulnerability appears when a parameter gains access to a certain resource. By modifying this parameter, it is possible to access other resources that are not authorized for this user. Usually the affected parameters are used as control for the application's flow, for example, the named id, uid, r, url, ur, and so on.
These kinds of vulnerabilities could be detected using the Target tool in Burp Suite. Similar to the CSRF detection, the more URLs you detect, the more possibilities there are to find vulnerabilities:
- To add a target to the scope, go to Burp Suite, and using the secondary button of the mouse, click on Add to the scope option.
- Then go to the Target tool, and click on the Scope tab. Here you will see listed all the URLs, domains, and sections added to the scope...