Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference is a type of broken access control where the application exposes internal implementation objects, such as database keys, file paths, or directory names, to users through URLs, form parameters, or API endpoints. When the application fails to verify that the requesting user is authorised to access the referenced object, any authenticated user can access any other user's data simply by changing the reference value.

IDOR vulnerabilities are extremely common in modern web applications and APIs. A typical example is a URL like /api/users/123/profile where changing 123 to 124 reveals another user's profile data. These flaws are particularly dangerous because they are simple to exploit, often require no special tools, and can expose large volumes of sensitive data through enumeration.

The impact of IDOR ranges from information disclosure (reading other users' private data) to data manipulation (modifying or deleting other users' records) and can affect any resource referenced by a predictable identifier.

Prevention requires implementing proper server-side access control checks for every request, using indirect references or UUIDs instead of sequential integers, validating that the authenticated user has permission to access the requested resource, and applying the principle of least privilege across all endpoints. Automated testing and code review should specifically look for missing authorisation checks on object references.