Zap for IDOR
IDOR (Insecure Direct Object Reference) occurs when applications expose internal object identifiers (like user IDs or filenames) without proper authorization checks. This allows attackers to access or modify data belonging to other users simply by changing an identifier.
Recently, while going through this TryHackMe challenge level: ➡️ IDOR – Santa’s Little IDOR …I decided to revisit how ZAP can be used not just to reveal IDOR issues, but also to automate their discovery.
Identifying the IDOR
The challenge exposes a classic pattern: a user ID stored client‑side without any real access control.
Here’s the interface showing the underlying issue:
By navigating to the storage section, you can clearly see that your access level is controlled by a simple numeric ID:
If you manually update the ID and refresh the page… well, you suddenly have access to someone else’s panel. This is the essence of IDOR: no authentication check, no server‑side validation.
Using ZAP to Detect IDOR
Now, instead of manually editing IDs one by one, ZAP can help us find, inspect, and automate IDOR testing.
First, ZAP captures the vulnerable request:
Once you identify the parameter to test, it’s time to fuzz it.
Automating the Hunt with ZAP Fuzzing
ZAP’s fuzzer allows you to throw a series of IDs at the endpoint to see which ones return valid data.
After launching the fuzzing session, we quickly start seeing meaningful responses:
A couple of IDs return different content — confirming that multiple objects are accessible without authorization. And just like that, the IDOR is fully mapped!
🎯 Final Thoughts
ZAP makes IDOR detection not only straightforward but also automatable. While manual testing is still important to understand context, fuzzing accelerates the process and uncovers cases you might miss doing things by hand.