AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Direct Object Reference

The attacker can access username and passwords in cleartext



Fix Cost


Trust Level


Insecure Direct Object Reference (IDOR) is one of the easiest exploitable attack vectors that hackers can pull off. The only thing they have to try is to test every parameter value to understand if changing the parameter’s value lets them accessing or changing others application data.

For example, imagine a view that lists the historical purchases of the user that was previously authenticated. When user clicks details of one of those listed purchases, the ID, let’s assume 3657435, of the purchase is sent from browser to the backend application and the glory details of the selected single purchase is shown as a separate interface.

Here the authenticated user might have bad intentions and when sending the ID, 3657435, of the purchase, he might change to other predictable IDs of purchases of other users. Let the changed ID is 3657436. If the back end code doesn’t really check whether the received purchase ID really belongs to the current user before sending the details, the attacker is now able to see the details of other users’ purchases.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!