This occurs when user supplied input, files, documents, etc has not been validated properly
Encoded IDs / Base64
It is extremely common for webservers and developers to encode data being passed from pages in base64 format. Occasionally, these may contain data that could be helpful, such as userids, hopefully not secrets, but you never know.
If you can decode the base64 and modify the contents, and send it back- you may find a vuln!
Hashed IDs / md5
Super common for IDs and other semi-sensitive data to be hashed in a url. md5 is commonly used, but there are a number of others!
Running hashes through a database can sometimes reveal information we weren’t supposed to see in human readable format.
Try creating 2 accounts on a site, and swapping the ids in the payloads and or URL. Are you able to access a different accounts data?
IDOR locations
An IDOR isn’t always in the address bar, in theory it could be in a cookie, a post/get request, or even a forgotten parameter
If a developer forgets to remove a testing parameter on an api call, you could get something like /user/data?userId=10 - where you aren’t supposed to be able to access user 10’s data.