Vulnerabilities
Insecure Direct Object Reference (IDOR)
Also known as: IDOR, Direct object reference vulnerability
Definition
An access-control flaw where an application exposes references to internal objects and lets a user change them to access data that does not belong to them.
IDOR occurs when an endpoint uses a user-supplied identifier (numeric ID, UUID, filename, account number) to fetch or modify an object without verifying that the caller is authorized for that specific object. Sequential IDs and predictable references make exploitation trivial, but even UUIDs are unsafe if any user can guess or leak them. IDOR is one of the most common bug-bounty findings and a leading cause of multi-tenant data breaches. Fixes include enforcing per-request ownership checks on the server, scoping database queries to the current user/tenant, using indirect references (opaque per-session maps), and adding automated tests for horizontal access.
Examples
- Changing /invoices/1042 to /invoices/1043 and reading another customer's invoice.
- Editing a profile picture URL parameter to overwrite another user's avatar.
Related terms
Broken Access Control
A class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges.
Horizontal Privilege Escalation
A flaw that lets a user access resources or actions of another user with the same privilege level rather than gaining higher rights.
Parameter Tampering
An attack in which an adversary modifies parameters in HTTP requests, cookies, or hidden form fields to manipulate application behaviour.
API Security
API Security — definition coming soon.
OWASP Top 10
OWASP Top 10 — definition coming soon.