I find that we click βSettingsβ button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack.
1 create two projects: project1 and project2, and their admin is admin1 and admin2
2 login as admin2 and click βSettingβ, use burpsuit hijack the request and we can obtain the projectid of project1 and project2.
3 go to βproejct settingsβ and click member, and add a member.
4 Using burpsuit to hijack the reqeust, repalce project2βs projectid as project1βs projectid
5 we can find that project1 has a new member, even admin2 is not the admin of project1.
UUID format of proejctid can precent IDOR effectively. But we disclose it to end users !