IDOR

an IDOR vulnerability mainly exists due to the lack of an access control on the back-end

Identify

From URL

?uid=1
?filename=file_1.pdf)

JavaScript AJAX

Look for front end javascripts.

Hashing / Encoding items

Identify hash algorithm.
e.g. download.php?filename=c81e728d9d4c2f636f067f89cc14862c

Compare User Roles

Compare user1 API vs user2 API.

Mass IDOR Enumeration

Insecure Parameters

Identify URL pattern and enumerate.

Bypassing Encoded References

Hashed IDOR