IDOR is a Broken Access Control vulnerability where an application exposes internal object references (like user IDs, order numbers, file names) and fails to verify whether the user is authorized to access them.
π What is IDOR (Quick Recap)
IDOR happens when:
- An application exposes a direct reference (like
user_id=123) - The server does NOT properly verify authorization
- An attacker changes the value to access unauthorized data
It is part of:
π OWASP Top 10 Category: A01 β Broken Access Control
π§ Example 1: Profile Access IDOR (Classic Case) Scenario: You log into a website and visit:
https://example.com/account?user_id=205The server shows your profile. Now you change it to:
https://example.com/account?user_id=204If it shows another user's profile β π¨ IDOR
Why It Happens:
Backend code might look like this (bad example):
user = db.get_user(request.GET["user_id"])
return render(user)π§Ύ Example 2: Invoice Download IDOR
Scenario:
E-commerce website allows invoice download:
https://shop.com/invoice/9001.pdfYou change it to:
https://shop.com/invoice/9002.pdfIf another customer's invoice downloads β π¨ IDOR
Impact:
- Leaks personal information
- Leaks payment details
- GDPR violation risk
This is extremely common in:
- SaaS dashboards
- Online shopping platforms
π Example 3: File Access IDOR
Scenario:
Company portal lets users download files:
https://portal.com/files/report_25.pdfAttacker changes:
https://portal.com/files/report_24.pdfIf access is granted without role verification β π¨ IDOR
This can expose:
- Internal reports
- Employee data
- Financial documents
π Example 4: API IDOR (Modern Applications)
Now let's look at REST APIs.
Request:
GET /api/v1/users/150Response:
{
"name": "Ravi",
"email": "ravi@email.com"
}Attacker changes:
GET /api/v1/users/151If data is returned β π¨ IDOR
Modern apps (React, Angular, mobile apps) are highly vulnerable if backend validation is weak.
π Example 5: PUT / DELETE IDOR (More Dangerous)
Update Request:
PUT /api/orders/500If attacker changes order ID:
PUT /api/orders/501And can modify another user's order β π¨ IDOR
Even worse:
DELETE /api/users/101If it deletes another account β critical vulnerability.
π Types of IDOR
1οΈβ£ Horizontal Privilege Escalation
Accessing data of another user at same level.
Example: User A viewing User B's profile.
2οΈβ£ Vertical Privilege Escalation
Normal user accessing admin resource.
Example:
/admin/deleteUser?id=5If accessible β serious issue.
π How Attackers Find IDOR
- Changing numeric IDs
- Observing patterns (101, 102, 103β¦)
- Intercepting requests using:
- Burp Suite
- OWASP ZAP
π‘οΈ Why IDOR Happens (Root Cause)
Developers:
- Trust user input
- Assume user won't modify IDs
- Skip authorization checks
- Rely only on frontend validation
Frontend validation β Security
π£ Real-World Impact
IDOR has caused:
- Data leaks
- Banking information exposure
- Government portal breaches
- Massive bug bounty payouts
It is one of the most reported vulnerabilities in bug bounty programs.
π§βπ» Safe Practice Platforms (For Your Blog Demo)
You can safely demonstrate IDOR using:
- bWAPP
- OWASP WebGoat
- PortSwigger Web Security Academy
π― Best Recommendation for Your IDOR Medium Blog
- What if changing a single number in a URL could expose someone else's private data?
2. That simple mistake is known as Insecure Direct Object Reference (IDOR).
3. IDOR is one of the most common and dangerous web vulnerabilities today.
4. It occurs when an application fails to properly verify user authorization.
5. Attackers can manipulate IDs in URLs, APIs, or form parameters to access sensitive data.
6. This vulnerability falls under Broken Access Control in the OWASP Top
7. IDOR can lead to data breaches, account takeover, and privacy violations.
8. Many modern web and mobile applications are vulnerable due to weak backend validation.
9. The issue is simple to understand but critical if left unpatched.
10. In this article, we'll explore real-world examples, attack scenarios, and how to prevent IDOR effectively.
β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β