Contents hide

1 Critical IDOR Vulnerability in Webhook Deletion – A Real-World Exploitation Guide

1.2 Why IDOR in Webhook Deletion is Critical

1.3 Reconnaissance – Finding the Endpoint

1.4 Step-by-Step Exploitation

1.5 Proof of Concept (PoC)

1.6 Impact Analysis

1.7 Severity Assessment (CVSS v3.1)

1.8 Recommendations to Fix Critical IDOR vulnerability

1.9 Final Thoughts

1.9.1 Get the Latest Cybersecurity & Bug Bounty Drops

Critical IDOR Vulnerability in Webhook Deletion – A Real-World Exploitation Guide

When testing web applications, one of the most common but high-impact issues I encounter is Insecure Direct Object Reference (IDOR). In this blog, I will walk you through how I discovered a Critical IDOR vulnerability in a webhook deletion functionality on my testing platform (hackersatty.com).

This post is a complete breakdown of how I identified the vulnerable endpoint, exploited it, and demonstrated real-world impact — all while following responsible testing practices.

What is an IDOR Vulnerability?

Insecure Direct Object Reference (IDOR) is a type of access control vulnerability where an application exposes internal identifiers (like user IDs, webhook IDs, or document IDs) without properly checking if the user is authorized to access them.

In simple terms: if you can change an id in a request and access or delete something that belongs to another user, the application is vulnerable to IDOR.

Why IDOR in Webhook Deletion is Critical

Webhooks are essential for integrating systems — they send automated updates and notifications between platforms.

Now, imagine a situation where any user can delete another user’s webhook. This means:

Service disruption
Loss of customer integrations
Denial of important notifications
Direct impact on business operations

That’s why Critical IDOR vulnerability IDOR in webhook deletion is classified as Critical.

Reconnaissance – Finding the Endpoint

During my testing on hackersatty.com, I followed a systematic process to identify the vulnerable endpoint:

Create an account (Account A) and explore available features.
Enable developer tools (browser DevTools or Burp Suite) to capture requests.
Create a webhook → noted down the request and observed an id parameter.
Saw that the webhook deletion was performed via:

POST /pr/settings/webhook/{uuid} X-Methodoverride: DELETE
Registered another account (Account B).
Repeated the same process to create a webhook, confirming that each webhook had a unique id.

This made me suspect that simply changing the id might allow cross-account access.

Step-by-Step Exploitation

Here’s how I reproduced the issue:

Account A creates a webhook → assigned id=15120.
Captured the deletion request:

POST /pr/settings/webhook/3c4320d4-cdaa-456a-94a3-c883c8821f27 X-Methodoverride: DELETE id=15120&csrfmiddlewaretoken=<token>
Account B creates its own webhook → assigned id=15122.
Using Account B’s session, I replayed the captured deletion request.
Modified the request to target Account A’s webhook ID (id=15120).
Result: Account B successfully deleted Account A’s webhook.

Proof of Concept (PoC)

Request (Attacker – Account B deleting Account A’s webhook):

Response:

✔ Confirms that Account B deleted Account A’s webhook without authorization.

Reference: HackerOne’s Guide to Broken Access Control.

Critical IDOR Vulnerability PoC — Proof of Concept showing how an attacker exploited a Critical IDOR Vulnerability.

Impact Analysis

The vulnerability directly affects integrity and availability of the application:

Any user can delete webhooks of others.
Attack requires no elevated privileges — just a free account.
Real-world consequences: service disruptions, broken integrations, loss of business data.

Severity Assessment (CVSS v3.1)

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Integrity (I): High
Availability (A): High

Score: 9.1 (Critical)

Recommendations to Fix Critical IDOR vulnerability

Enforce proper authorization checks – Verify that the user owns the webhook before allowing deletion.
Use Object-Level Access Control – Implement strict checks for every request modifying user resources.
Avoid predictable identifiers – Use UUIDs instead of sequential numeric IDs.

Final Thoughts

This case study demonstrates how a simple oversight in access control can lead to a Critical IDOR vulnerability.

By following a structured approach — from endpoint discovery, testing unique IDs, to replaying requests — I was able to identify a severe issue that impacts the core integrity and availability of the application.

For developers, the lesson is clear: never trust client-side input and always enforce authorization checks at the server level.

For security researchers, this highlights why IDOR remains one of the most dangerous yet common vulnerabilities.

Bug Bounty Blogs

5 Steps to Exploit a Critical IDOR Vulnerability in Webhook Deletion

Critical Unauthorized Access to Admin Pages via Vulnerable Endpoints – A Bug Bounty Case Study

How I Discovered an API Security Vulnerability in a Staging Environment (and What You Can Learn from It)

Protected: Wildcard Bug Bounty Methodology: 10 Advanced Steps to Find High-Value Vulnerabilities in 2025

GraphQL Introspection Exposure: The 1 Hidden Blueprint That Could Undermine Your Entire Backend

Apache server-info Exposure: 7-Step Deep Analysis of 403 Bypass & Internal Data Leak

LDAP Credential Exposure: 7-Step In-Depth Analysis of an Unauthenticated Data Leak

25+ Google Dorks for Bug Bounty: Find Exposed Signatures, NDAs & Confidential Docs

Powerful $1000 Bug Bounty Guide: Discover Hidden Endpoints in JavaScript JS Files

IDOR Vulnerability Exploited: 2025 Bug Bounty Case Study on Broken Access Control & Privilege Escalation