You found an IDOR that leaks data. Good. But can you change someone else’s email, delete their account, or escalate privileges? When you master IDOR on POST, PUT, and DELETE, you turn read access into full account takeover.
Press enter or click to view image in full size
Welcome back to the Bug Bounty Bootcamp. You’ve learned the basics of IDOR — changing a number in a GET request to view another user’s private data. That’s a solid finding. But the real money lies in IDOR on state-changing operations. If you can modify or delete another user’s resources, the severity jumps from Medium to Critical. And sometimes, the same endpoint that refuses a GET request will happily accept a POST or DELETE with the same parameter. This guide covers the advanced tactics that separate novice IDOR hunters from those who consistently earn top bounties.
The Blind Spot: IDOR Isn’t Just for GET Requests
Most testers focus on GET requests because the ID is visible in the URL. But modern APIs use POST, PUT, PATCH, and DELETE for actions. The ID might be in the request body…