diff --git a/Command Injection/README.md b/Command Injection/README.md
index 9eefa07..9b297fb 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -247,7 +247,7 @@ echo whoami|$0
 ```
 
 
-### Bypass with $()
+#### Bypass with $()
 
 ```powershell
 who$()ami
diff --git a/Insecure Direct Object References/README.md b/Insecure Direct Object References/README.md
index a2fd20e..49b3445 100644
--- a/Insecure Direct Object References/README.md	
+++ b/Insecure Direct Object References/README.md	
@@ -6,69 +6,123 @@
 ## Summary
 
 * [Tools](#tools)
-* [Exploit](#exploit)
-    * [IDOR Tips](#idor-tips)
-* [Examples](#examples)
 * [Labs](#labs)
+* [Exploit](#exploit)
+    * [Numeric Value Parameter](#numeric-value-parameter)
+    * [Common Identifiers Parameter](#common-identifiers-parameter) 
+    * [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator) 
+    * [Hashed Parameter](#hashed-parameter)
+    * [Wildcard Parameter](#wildcard-parameter)
+    * [IDOR Tips](#idor-tips)
 * [References](#references)
 
 
 ## Tools
 
-- [BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
-- [BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
-- [BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
-
-
-## Exploit
-
-For instance, consider a URL like `https://example.com/account?userid=123`. In this case, `123` is a direct object reference to a specific user's account. If the application doesn't properly check that the logged-in user has the right to access the account related to `userid=123`, then any user could potentially change the userid in the URL to access other users' accounts.
-
-![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png)
-
-The value of a parameter is used directly to retrieve a database record.
-
-```powershell
-http://foo.bar/somepage?invoice=12345
-```
-
-The value of a parameter is used directly to perform an operation in the system
-
-```powershell
-http://foo.bar/changepassword?user=someuser
-```
-
-The value of a parameter is used directly to retrieve a file system resource
-
-```powershell
-http://foo.bar/showImage?img=img00011
-```
-
-The value of a parameter is used directly to access application functionality
-
-```powershell
-http://foo.bar/accessPage?menuitem=12
-```
-
-
-### IDOR Tips
-
-* Change the HTTP request: POST → PUT
-* Change the content type: XML → JSON
-* Increment/decrement numerical values (1,2,3,..)
-* GUID/UUID might be weak
-* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
-
-
-## Examples
-
-* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
-* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
+- [PortSwigger/BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
+- [PortSwigger/BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
+- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
 
 
 ## Labs
 
-* [PortSwigger - Insecure direct object references](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
+* [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
+
+
+## Exploit
+
+IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
+
+**Example of IDOR**
+
+Imagine a web application that allows users to view their profile by clicking a link `https://example.com/profile?user_id=123`:
+
+```php
+<?php
+    $user_id = $_GET['user_id'];
+    $user_info = get_user_info($user_id);
+    ...
+```
+
+Here, `user_id=123` is a direct reference to a specific user's profile. If the application doesn't properly check that the logged-in user has the right to view the profile associated with `user_id=123`, an attacker could simply change the `user_id` parameter to view other users' profiles:
+
+```ps1
+https://example.com/profile?user_id=124
+```
+
+![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png)
+
+
+### Numeric Value Parameter
+
+Increment and decrement these values to access sensitive informations.
+
+* Decimal value: `287789`, `287790`, `287791`, ...
+* Hexadecimal: `0x4642d`, `0x4642e`, `0x4642f`, ...
+* Unix epoch timestamp: `1695574808`, `1695575098`, ...
+
+**Examples**
+* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
+* [HackerOne - Delete messages via IDOR - naaash](https://hackerone.com/reports/697412)
+
+### Common Identifiers Parameter
+
+Some identifiers can be guessed like names and emails, they might grant you access to customer data.
+
+* Name: `john`, `doe`, `john.doe`, ...
+* Email: `john.doe@mail.com`
+* Base64 encoded value: `am9obi5kb2VAbWFpbC5jb20=`
+
+**Examples**
+* [HackerOne - Insecure Direct Object Reference (IDOR) - Delete Campaigns - datph4m](https://hackerone.com/reports/1969141)
+
+
+### Weak Pseudo Random Number Generator
+
+* UUID/GUID v1 can be predicted if you know the time they were created: `95f6e264-bb00-11ec-8833-00155d01ef00`
+* MongoDB Object Ids are generated in a predictable manner: `5ae9b90a2c144b9def01ec37`
+    * a 4-byte value representing the seconds since the Unix epoch
+    * a 3-byte machine identifier
+    * a 2-byte process id
+    * a 3-byte counter, starting with a random value
+
+**Examples**
+* [HackerOne - IDOR allowing to read another user's token on the Social Media Ads service - a_d_a_m](https://hackerone.com/reports/1464168)
+* [IDOR through MongoDB Object IDs Prediction](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
+
+
+### Hashed Parameter
+
+Sometimes we see websites using hashed values to generate a random user id or token, like `sha1(username)`, `md5(email)`, ...
+
+* MD5: `098f6bcd4621d373cade4e832627b4f6`
+* SHA1: `a94a8fe5ccb19ba61c4c0873d391e987982fbbd3`
+* SHA2: `9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08`
+
+**Examples**
+* [IDOR with Predictable HMAC Generation - DiceCTF 2022 - CryptoCat](https://youtu.be/Og5_5tEg6M0)
+
+
+### Wildcard Parameter
+
+Send a wilcard instead of an ID, some backend might respond with the data of all the users.
+
+* `GET /api/users/* HTTP/1.1`
+* `GET /api/users/% HTTP/1.1`
+* `GET /api/users/_ HTTP/1.1`
+* `GET /api/users/. HTTP/1.1`
+
+
+**Examples**
+* [TODO]()
+
+
+### IDOR Tips
+
+* Change the HTTP request: `POST → PUT`
+* Change the content type: `XML → JSON`
+* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
+* Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
 
 
 ## References
@@ -76,7 +130,10 @@ http://foo.bar/accessPage?menuitem=12
 * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
 * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
 * [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
-* [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec
 * [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
 * [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 
-* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
\ No newline at end of file
+* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
+* [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres)
+* [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
+* [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor)
+* [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor)
\ No newline at end of file
diff --git a/Insecure Randomness/README.md b/Insecure Randomness/README.md
index 9f23fe7..8471b42 100644
--- a/Insecure Randomness/README.md	
+++ b/Insecure Randomness/README.md	
@@ -5,6 +5,8 @@
 * [GUID / UUID](#guid--uuid)
     * [GUID Versions](#guid-versions)
     * [Tools](#tools)
+* [Mongo ObjectId](#mongo-objectid)
+    * [Tools](#tools)
 * [References](#references)
 
 ## GUID / UUID
@@ -38,6 +40,25 @@ The four-bit M and the 1- to 3-bit N fields code the format of the UUID itself.
     $ guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
     ```
 
+## Mongo ObjectId
+
+Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId value consists of: 
+* **Timestamp** (4 bytes): Represents the ObjectId’s creation time, measured in seconds since the Unix epoch (January 1, 1970).
+* **Machine Identifier** (3 bytes): Identifies the machine on which the ObjectId was generated. Typically derived from the machine's hostname or IP address, making it predictable for documents created on the same machine.
+* **Process ID** (2 bytes): Identifies the process that generated the ObjectId. Typically the process ID of the MongoDB server process, making it predictable for documents created by the same process.
+* **Counter** (3 bytes): A unique counter value that is incremented for each new ObjectId generated. Initialized to a random value when the process starts, but subsequent values are predictable as they are generated in sequence.
+
+### Tools
+
+* [andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict) - Predict Mongo ObjectIds
+    ```ps1
+    ./mongo-objectid-predict 5ae9b90a2c144b9def01ec37
+    5ae9bac82c144b9def01ec39
+    5ae9bacf2c144b9def01ec3a
+    5ae9bada2c144b9def01ec3b
+    ```
+
 ### References
 
-* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
\ No newline at end of file
+* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
+* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
\ No newline at end of file