A Rabbit Hole in Recon: When IDOR Turns Out to Be Nothing

Summary

Abdelrahman Maged

~1 min read · April 20, 2026 (Updated: April 20, 2026) · Free: Yes

Summary

During recon, I discovered a public API endpoint that initially appeared vulnerable to IDOR, but was later identified as intended behavior due to non-sensitive public data exposure.

Discovery

While enumerating subdomains, I found:

api.example.com

Visiting it revealed a redirect to:

developers.example.com

After fuzzing the developer domain:

developers.example.com/api

I identified the following endpoint:

/api/v2/users/{userid}

Testing

I tested the endpoint on the main API:

https://api.example.com/api/v2/users/1

By modifying the userid:

/users/2
/users/3
/users/10

The API returned user data successfully without authentication or authorization.

Impact Analysis

Despite the behavior resembling IDOR:

Returned data was non-sensitive ( username, name, followers, role) and considered public information.
Endpoint is part of a public API
No restricted information exposed

➡ Classified as Informational (Public Data Exposure)

Takeaways

Always verify data sensitivity
Check if the API is intended to be public
Don't confuse enumeration with exploitation

#api #penetration-testing #vulnerability #ethical-hacking #web-security

< Go to the original

A Rabbit Hole in Recon: When IDOR Turns Out to Be Nothing

Summary

Summary

Discovery

Testing

Impact Analysis

Takeaways

Reporting a Problem