IDORs are lucrative in app testing and the Authorize plugin is really helpful, but I'm going to share my favorite tip that personally gets me the most coverage.

Match and replace, and it's my favorite way to find IDORs. How do I use it?

👇 1) Identify the what the app uses for identifiers. Most of the time it's UUIDs.

2) Install and map the application. Notice the UUID's will be stored under "issues" in burp. They will be informational, but very helpful.github.com/PortSwigger/uu…

How I just got gained access to 22 unauthorized endpoints across 116 websites (260k endpoints) in about 10 minutes. Use what your comfy with.

👇 Once I have my list of sites. I load them into my Burpsuite site map via Firefox. There are many ways to do it. If it's not thousands of sites, I use the Bulk Open extension. There are others.

Yesterday, I had a customer send me a nessus report and an app spider report. They were both clean. Few minor config issues that are norm in those automated tools.

They were sure there was nothing to find as they do them monthly.

I found a list of all users, sqli and 2 xss. 👇 I fired up Burpsuite and started manually clicking on all links in the web app. The app isn't more than 20 links and is all .aspx. and has a has a login page for which I don't have creds to.

Using my sitemap I made a custom wordlist of directories and parameters using