IDOR
IDOR (Insecure Direct Object Reference) is a web application security vulnerability that allows unauthorized access to resources by manipulating object identifiers without proper authorization checks. Classified under OWASP Top 10 as Broken Access Control (A01:2021).
What is IDOR?
IDOR (Insecure Direct Object Reference) is a web application vulnerability from OWASP Top 10 (Broken Access Control, A01:2021). It occurs when an application exposes resources (files, records, invoices) based on user-supplied ID — without verifying whether the user has permission. Simple example: changing /invoices/1234 to /invoices/1235 reveals another customer’s invoice.
IDOR Definition
IDOR (Insecure Direct Object Reference) is one of the most common web application security vulnerabilities, classified in the OWASP Top 10 under Broken Access Control (A01:2021). This vulnerability occurs when an application provides direct access to internal objects (files, database records, resources) based on user-supplied input — without proper authorization verification.
For example, if the URL https://app.example.com/invoices/1234 displays invoice #1234, and changing it to /invoices/1235 reveals another user’s invoice — that is an IDOR vulnerability.
How Does an IDOR Attack Work?
An IDOR attack follows these steps:
- Pattern identification — the attacker analyzes how the application references resources (URL parameters, request body, headers).
- Identifier manipulation — the attacker changes the identifier value (e.g., user ID, invoice number, file UUID).
- Missing verification — the application fails to check whether the authenticated user has permission to access the requested resource.
- Unauthorized access — the attacker gains access to another user’s data, potentially reading, modifying, or deleting it.
Identifiers can be easy to guess (sequential integers) or seemingly random (UUIDs, hashes), though the identifier format alone does not protect against the attack — server-side validation is what matters.
Types of IDOR
- Horizontal IDOR — accessing resources of another user at the same privilege level (e.g., user A views user B’s data).
- Vertical IDOR — privilege escalation — accessing resources requiring a higher authorization level (e.g., regular user accesses admin panel).
- Write-operation IDOR — not just reading, but modifying or deleting another user’s resources (e.g., changing another user’s password).
- File-based IDOR — accessing other users’ files by manipulating file paths or identifiers.
IDOR Vulnerability Examples
URL Parameter
GET /api/users/42/profile → user 42's profile
GET /api/users/43/profile → another user's profile (no verification)Request Body
POST /api/transfer
{
"from_account": "ACC-1001",
"to_account": "ACC-2002",
"amount": 1000
}Changing from_account to another user’s account enables fund theft.
Query Parameter
GET /download?file_id=8839 → downloading another user's fileApplications of IDOR Knowledge
- Penetration testing — IDOR is one of the first attack vectors tested during web application pentests.
- Bug bounty — IDOR is one of the most frequently reported vulnerabilities in bug bounty programs.
- Code review — reviewing code for object-level access control.
- Threat modeling — identifying points where missing authorization checks could lead to data leaks.
Threats and Challenges
- Personal data leaks — IDOR can lead to GDPR violations with serious legal consequences.
- Mass extraction — attackers can automate iteration over sequential IDs to download all users’ data.
- Detection difficulty — automated scanners rarely detect IDOR because it requires business context and understanding of authorization logic.
- False sense of security — using UUIDs instead of sequential IDs does not eliminate the vulnerability, only makes attacks harder.
- Cascading effects — IDOR in one endpoint can enable further access escalation.
Prevention Best Practices
- Implement object-level authorization checks — every endpoint must verify the user’s right to access the requested resource.
- Use indirect object references — map internal IDs to random per-session tokens.
- Implement server-side access control — never rely on UI element hiding.
- Use authorization frameworks with ABAC (Attribute-Based Access Control) or RBAC (Role-Based Access Control) policies.
- Conduct regular penetration tests with specific focus on IDOR scenarios.
- Deploy logging and monitoring for unauthorized resource access attempts.
- Add rate limiting on API endpoints to hinder mass identifier scanning.
- Include IDOR in code review processes and security checklists.
Related Terms
- OWASP Top 10 - top web application vulnerabilities
- Penetration Testing - controlled security testing
- Secure Coding - practices minimizing vulnerabilities
- Access Control - permission management mechanisms
Explore Our Services
Want to check if your application is vulnerable to IDOR? Get in touch:
- Security Audits - comprehensive application security testing
- Cybersecurity - system and data protection
Frequently asked questions
+ What is IDOR vulnerability?
IDOR (Insecure Direct Object Reference) is a web application security vulnerability classified in OWASP Top 10 as Broken Access Control (A01:2021). It occurs when an application provides direct access to resources (files, database records, invoices) based on user-supplied ID — without verifying whether the user has permission for that resource. Example: changing /invoices/1234 to /invoices/1235 reveals another customer's invoice.
+ What are the types of IDOR attacks?
4 main types: (1) Horizontal IDOR — access to resources of another user at same privilege level (customer A sees customer B's orders), (2) Vertical IDOR — privilege escalation (regular user enters admin panel via ID manipulation), (3) Write-operation IDOR — modifying/deleting others' data (not just reading), (4) File-based IDOR — access via path or UUID manipulation.
+ How to find IDOR in a pentest?
IDOR testing process: (1) map all endpoints accepting IDs in URL/body/header, (2) create 2 test accounts (user_A, user_B) with sample data, (3) log in as A, execute request for own data, save response, (4) substitute ID with B's ID, replay request with A's cookies/token, (5) check if response contains B's data (leak) or allows write (escalation). Tools: Burp Suite Autorize, OWASP ZAP HUD, AuthMatrix.
+ How is UUID different from sequential ID in IDOR context?
UUIDs (e.g., 550e8400-e29b-41d4-a716-446655440000) are practically impossible to guess via brute force, but they DO NOT ELIMINATE IDOR vulnerability — they only make discovery harder. The attack works when UUIDs leak through other channels: API listing endpoints, mobile app reverse engineering, log access, link sharing. Mandatory object-level authorization remains essential regardless of ID format.
+ How to prevent IDOR vulnerabilities?
7 practices: (1) object-level authorization — every endpoint verifies user's right to the resource, (2) indirect references — mapping ID→token per session, (3) ABAC/RBAC with policies (OPA, Casbin, AWS Cedar), (4) don't rely on UI hiding — always verify server-side, (5) regular pentests focused on authorization (Burp Autorize, AuthMatrix), (6) code review with authorization checklist, (7) rate limiting + monitoring of attempts to access others' IDs (possible scanning signal).