Insecure Direct Object Reference (IDOR)
1-minute read
What it is
IDOR vulnerabilities arise when applications expose internal object references without enforcing authorization checks to confirm ownership.
Why it matters
Attackers can directly access, edit, or delete sensitive resources belonging to other users by simply changing an ID parameter.
How to reduce risk
- Enforce authorization on every request, not just when users authenticate
- Use indirect or randomized identifiers so objects cannot be guessed
- Centralize authorization logic instead of embedding it in the client
Related Terms: Access Control, API Misconfiguration, Broken Object Level Authorization (BOLA)
External Resources:
- OWASP – Insecure Direct Object Reference: https://owasp.org/www-community/attacks/Insecure_Direct_Object_Reference