ive been trying to find idors in banks all day but without success i might do an all nighter cause this is very fun
The thread tying all of these together: **token vulns and IDORs are the same root flaw - broken access control.** An IDOR is "the server forgot to check this object belongs to me." A token vuln is "the server's way of knowing who I am is broken, so I can *become* someone else" - and then every endpoint hands me their data. They chain: forge or steal a token _ server treats you as the victim _ instant IDOR-style access to everything they own, except now it looks legit to the server. _Here's the list reframed as classes to hunt, with detection methods:**1. JWT `alg: none`** _- *What it is:* A JWT is `header.payload.signature`. If the server honors `"alg":"none"`, it accepts a token with the signature stripped - total forgery.- *How to spot it:* Decode your own token (Burp's JWT editor or jwt.io), change `alg` to `none`, change `payload` (e.g. flip `"role":"user"` _ `"admin"` or swap a user ID), drop the signature, resend. If it's accepted, you win.- *IDOR link:* You're changing the identity the server trusts - same as tampering with an ID param, just at the auth layer.**2. JWT weak secret**- *What it is:* HMAC-signed JWTs use a shared secret. If it's weak (`secret`, `password123`), it's crackable.- *How to spot it:* Capture a token, run it through hashcat (mode 16500) against a wordlist offline. Crack the secret _ forge any token you want.- *IDOR link:* Once you can sign tokens, you can set the user ID to anyone's.
**3. Predictable session tokens**- *What it is:* Session IDs that are sequential, timestamp-based, or low-entropy.- *How to spot it:* Grab several tokens (log in a few times, or with two accounts) and eyeball them side by side. `1001`, `1002`, `1003`? Decoded and it's `base64(userid:timestamp)`? Predictable = guessable.- *IDOR link:* This *is* a horizontal IDOR - guessing another user's session is guessing their "ID" to access their session.**4. Password reset token flaws** (bounty goldmine _)- *What it is:* Reset tokens that are guessable, never expire, or reusable.- *How to spot it:* Request a few resets for your own account, compare the tokens for patterns. Test if an old token still works hours later, or works twice.- *Host header trick:* Intercept the reset request, change the `Host` header to your domain. If the email link now points to *your* host, the victim's token leaks to you when they click.- *IDOR link:* A guessable reset token = "guess the secret tied to another account's ID" _ account takeover.**5. Token leakage** __- *What it is:* Secrets ending up where they shouldn't - in URLs, client-side JS, error messages, git history.- *How to spot it:* Watch where tokens appear in Burp. In a URL? It's in server logs and browser history. Grep JS bundles for `api_key`, `token`, `secret`. Check the `Referer` header on pages that load third-party resources.- *IDOR link:* A leaked token lets you impersonate someone, which unlocks all their objects.**6. OAuth `state` / `redirect_uri`**- *What it is:* Missing `state` _ CSRF in the login flow. Loose `redirect_uri` validation _ token redirected to attacker.- *How to spot it:* Inspect the authorize request - is there a `state` param? Try tweaking `redirect_uri` (add a subdomain, path, `@your.com`) and see if the server still sends the token there.- *IDOR link:* Both let you hijack the identity that gets bound to the session.---
