IDOR can show up in many places, beyond changing IDs in URLs, but also in how files are stored and accessed.Check the URL of the downloaded file. E.g. it is possible to upload a CV to a job application website. The user can download the latest version to check for necessary updates. Copy the URL of the downloaded document to a word processor. Use another user id and password to log in. Paste the copied URL in the address text field and press return. If the document is shown, then other users can access personal data. A more advanced trick is to change the name of the previously uploaded file in the URL.E.g. replace CV_John_Smith.pdf by CV_Peter_Jones.pdf.