Recipe: IDOR audit checklist
A step-by-step workflow for finding insecure direct object references in web applications.
1. Map all object identifiers
Crawl the application and log every numeric ID, UUID, slug, or hash that appears in URLs, request bodies, headers, and cookies. Group by resource type — users, orders, files, invoices.
2. Establish ownership baseline
Authenticate as User A and request User A's resources. Note the response shape, status codes, and any authorization headers. Repeat for User B to confirm each resource is scoped per session.
3. Horizontal privilege escalation
While authenticated as User A, substitute User B's object IDs into every endpoint discovered in step 1. Test GET, POST, PUT, PATCH, and DELETE. Flag any endpoint that returns 200 or 2xx.
4. Vertical privilege escalation
Repeat step 3 with a low-privilege role (guest, viewer) targeting admin-scoped IDs. Test endpoints that are hidden from the UI but still reachable via direct request.
5. Unpredictable ID bypass
If the app uses UUIDs or hashed IDs, check whether the ID is leaked elsewhere — response bodies, referrer headers, public profiles, or exported CSVs. A non-sequential ID is not a fix if it is exposed.
6. Batch and mass assignment
Send arrays of IDs in a single request. Attempt to bind object ownership fields (user_id, org_id) in request bodies. Flag any endpoint that accepts and processes these silently.
7. Report and retest
Document every vulnerable endpoint with request/response pairs. After the fix is deployed, replay the exact requests to confirm the vulnerability is closed.
This checklist is part of the Meridian recipe library. Each step maps to a test case in the automated scanner.