+1 (512) 588 6950

Tips for BAC and IDOR Vulnerabilities

Home/Tips for BAC and IDOR Vulnerab...
Tips for BAC and IDOR Vulnerabilities


Publicly disclosed IDOR vulnerability report by headhunter on Hackerone (

What is a BAC Vulnerability?

  1. The admin account page at /admin is not visible on the front end.
  2. A regular user account tries to access it directly and it works.
  3. This escalates privileges to expose admin account information.
Example of a sensitive page with impact if exposed via BAC.

What is an IDOR Vulnerability?

  1. User A can access their account settings through the /account page with parameter id=101.
  2. User A can increment the parameter like this id=102, accessing User B’s account information.
Example HTTP request with an IDOR.

Blind IDOR

  1. Change the userID in any request.
  2. You get a 200 status code, but no other information.
  3. Check for an email notification to see if it leaks any sensitive information, such as first and last name.
  4. 💥 Blind IDOR!
Example email notification exposing first and last name.


  1. Log in to User A and notice a UUID in an HTTP request. Note that UUID.
  2. Log in to User B and find the same request w/ User B’s UUID.
  3. Swap in User A’s UUID from step 1 and see if it works. If this works, you’re almost there.
  4. Because UUIDs are usually not easily brute forced, we need one more element to complete the exploit.
  5. Find a different HTTP request that responds with a UUID based on other input like an email address.
  6. If the UUID from step 5 matches step 1, 💥 IDOR w/ UUID!

Automating with Auth Analyzer


More Resources

Leave a Reply