A simple IDOR worth $400.

2 min readJun 2, 2024


In this blog post, I will tell you about my simple but effective story of finding the IDOR vulnerability.


First of all, I want to talk about the program. The target program was a shopping website. It was a little difficult to decide to hunt in this program that has been active for about 2 years. I was afraid of duplicate, but I opened the target program and started browsing the target site for about 1–2 hours. I was trying to understand the logic of the website and collecting requests. I focused on this program for a day or two, but I didn’t find anything.

When there is a shopping site, I first try to order that product for free, etc. I try bussiness logics. I have tried many things here and none of them worked.

I purchased the product and while the product was in the preparation phase, I canceled the product and wanted to return it. I then caught the request. The request link looks like this:


Yes, as you guessed, I quickly replaced it with numbers like 1122,1121 and accessed the return page of other users.



This page did not show PII information about the user, but there was an option to cancel the refund. I could cancel other users’ refund requests by changing their ID number.

I sent the report. 1 day later the report was accepted and I was awarded $400. Sometimes these endpoints can be overlooked on shopping sites. You have to make sure you test every function.

The product I wanted to buy was a black hat, but we must be a hacker with a white hat :)

For suggestions or questions, you can contact me at my linkedln address.

Good reading for everyone, stay healthy.