If the parameter is not encoded with base64 you can use Burp intruder tab to create payloads and test the IDOR vulnerability.
First we should find the IDOR parameter to enumerate. Assume that you have the following url that you can download a report.
http://www.example.com/Download.ashx?RprtTkn=MTExMjIyfGZpeHBhcmFtZXRlcnxhbm90aGVyX2ZpeGVkX3BhcmFtZXRlcnw==Look at the token carefully and try to base64 decode it. Keep in mind wherever and whenever you see such a string first try to base64 decode. You can use Burp decoder tab or any other online tool to decode . After decoding the base64 encoded string we get the following decoded string
111222|fixparameter|another_fixed_parameter|We are not interested with the fixed parameters So let's focus on the first bold part of the string where we can enumerate and find out whether it is exploitable or not.
To do this ;
- We should start a loop to change the bold part of the string which will be our IDOR enumeration value
- Then construct and base64 encode
- Then send the request
Before starting to write our python code you can easily copy the authenticated request as cURL from chrome and convert it to python requests code using an online service . Because you will need to add authentication cookie and other headers before you made a request to the url.
Combining all of the above explanations we have the following python code to enumerate the parameter.