Insecure Direct Object Reference (IDOR)
highWhat is IDOR?
IDOR occurs when an application exposes internal object references (like database IDs) and fails to verify that the requesting user is authorised to access the referenced object.
How it works
An attacker changes a parameter value (e.g., /user/101 to /user/102) to access another user's data. The application serves the requested resource without checking ownership or permissions.
Impact
Unauthorised access to other users' data, including personal information, financial records, medical data, and private documents.
ShieldReport's IDOR heuristic probing tests predictable ID patterns in URLs and API endpoints, checking if incrementing IDs yields different users' data.
How to fix it
Implement server-side authorization checks for every object access. Use indirect references (UUIDs instead of sequential IDs). Apply row-level security policies in the database.
Code example
Vulnerable
// VULNERABLE: no authorization check
app.get('/api/user/:id', async (req, res) => {
const user = await db.users.findById(req.params.id)
res.json(user)
})Secure
// SECURE: verify ownership
app.get('/api/user/:id', async (req, res) => {
if (req.params.id !== req.user.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' })
}
const user = await db.users.findById(req.params.id)
res.json(user)
})Tags
Is your site vulnerable to IDOR?
Run a free scan to find out in under 2 minutes.
Scan Now