An Access Control Vulnerability is when an attacker can gain access to information or actions not intended for them.
An IDOR vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), and too much trust has been placed on that input data, and the web application does not validate whether the user should, in fact, have access to the requested object.
Find and Exploit
Post Variables
Examining the contents of forms on a website can sometimes reveal fields that could be vulnerable to IDOR exploitation.
For instance, the following HTML code for a form that updates a user's password :
