Introduction
IDOR stands for Insecure Direct Object Reference.
It happens when users can access data by changing IDs in a request.
How It Works
A system uses something like:
GET /profile?id=123If the system does not check ownership, changing the ID may expose other users' data.
GET /profile?id=124What Attackers Can Access
- user profiles
- documents
- account data
Why This Happens
The system checks if the request is valid, but not if the user is allowed to access it.
How It Is Prevented
- enforce authorization checks
- do not trust user input
- use indirect references
Real Example
Instead of using raw IDs:
GET /file?id=1001Use controlled references or verify ownership before returning data.
Conclusion
IDOR is simple but dangerous.
Every request should verify not just what is being accessed, but who is accessing it.