Overview
Insecure Direct Object Reference (IDOR) occurs when an application uses a client-supplied identifier — an integer ID, UUID, filename, or similar value — to look up a server-side object without first verifying that the requesting user is authorized to access that specific object. Because the check is missing or insufficient, an attacker can substitute a different identifier and retrieve or manipulate data belonging to another user or entity.
IDOR is not an injection vulnerability; it is purely an access control failure. It is listed under OWASP A01:2021 – Broken Access Control, the most prevalent web application security risk category, and is formally classified as CWE-639. In the API security context, the same pattern is often called Broken Object-Level Authorization (BOLA), highlighted as API1:2023 in the OWASP API Security Top 10.
How it works
The vulnerability arises when a three-step pattern is broken at step three: (1) the application stores objects with identifiers, (2) it exposes those identifiers to clients in URLs, request bodies, or cookies, and (3) it fails to verify ownership or permission before serving or modifying the referenced object.
- Predictable sequential IDs: A URL such as
GET /invoices/10042reveals that other invoices likely exist at/invoices/10041,/invoices/10043, and so on. An attacker iterates over these values (a technique called IDOR enumeration or horizontal privilege escalation). - Opaque but exposed identifiers: Even UUIDs or hashed IDs are insufficient substitutes for authorization checks. If the server does not verify the caller's rights, the obscurity of the identifier provides only weak security-by-obscurity protection.
- Vertical privilege escalation: IDOR can also be exploited to access objects at a higher privilege level — e.g., substituting a regular user's account ID with an admin account ID in a management endpoint.
- POST/PUT/DELETE targets: Write operations are equally affected. An attacker may modify or delete another user's record by supplying its identifier in the request body or path.
- Indirect references in parameters: File download endpoints (
/download?file=report_user123.pdf), export functions, and reference IDs embedded in form fields are common IDOR surfaces.
A minimal proof-of-concept looks like:
GET /api/orders/5512 HTTP/1.1
Authorization: Bearer <victim_token_not_needed>
# Attacker changes 5512 to 5513:
GET /api/orders/5513 HTTP/1.1
Authorization: Bearer <attacker_token>
HTTP/1.1 200 OK
{ "order_id": 5513, "customer": "victim@example.com", ... }
The server returns victim data because it looked up the order by ID without confirming that the authenticated user owns order 5513.
Business impact
The consequences of a successful IDOR exploit depend on the sensitivity of the exposed objects and the write permissions available:
- Data breach: Personal Identifiable Information (PII), financial records, health data, or proprietary content belonging to other users can be exfiltrated in bulk through automated enumeration.
- Regulatory and compliance exposure: Unauthorized access to personal data constitutes a reportable breach under GDPR (Article 33), HIPAA, PCI-DSS, and similar frameworks, potentially resulting in significant fines and mandatory notifications.
- Account takeover: If profile or authentication objects are accessible via IDOR, attackers may change email addresses, passwords, or linked payment methods.
- Data manipulation or destruction: Write-capable IDOR enables an attacker to alter or delete records, corrupt business-critical data, or disrupt service for other users.
- Reputational damage: Public disclosure of an IDOR flaw that exposed customer data typically causes significant loss of customer trust.
IDOR vulnerabilities are among the most frequently rewarded findings in public bug bounty programs, often rated High or Critical depending on the data involved, which reflects their real-world exploitability.
How to fix it
- Enforce server-side authorization on every object access: After authenticating the request, verify that the authenticated principal (user, service account, or role) has explicit permission to read or modify the specific object identified in the request. This check must happen on the server — client-side filtering is insufficient.
- Use indirect reference maps: Instead of exposing raw database keys, maintain a per-session or per-user mapping between an opaque token and the actual object ID. Only the server resolves the mapping, so attackers cannot guess another user's valid token.
- Apply attribute-based or role-based access control (ABAC/RBAC): Model ownership and permission explicitly. For example, an ORM query should always scope results to the authenticated user:
SELECT * FROM orders WHERE id = ? AND user_id = ?rather thanSELECT * FROM orders WHERE id = ?. - Avoid predictable identifiers where feasible: Using randomly generated UUIDs (v4) instead of sequential integers reduces the ease of enumeration, though this is a defense-in-depth measure, not a substitute for authorization.
- Implement and test access control centrally: Use a unified authorization middleware or library rather than ad-hoc per-endpoint checks. Inconsistency across endpoints is a primary cause of missed IDOR vulnerabilities.
- Log and alert on access anomalies: Rapid sequential access to object identifiers by a single account is a strong signal of IDOR enumeration. Implement rate limiting and anomaly detection on object-retrieval endpoints.
- Include IDOR scenarios in security testing: Automated scanners, manual penetration tests, and code reviews should explicitly test whether one authenticated session can access objects owned by a different session. Sensagraph automatically detects IDOR patterns across web application endpoints.
References
- OWASP Top 10 A01:2021 – Broken Access Control
- OWASP WSTG – Testing for Insecure Direct Object References
- OWASP API Security Top 10 2023 – API1: Broken Object Level Authorization
- MITRE CWE-639 – Authorization Bypass Through User-Controlled Key
- MITRE CWE-284 – Improper Access Control
- OWASP Cheat Sheet – IDOR Prevention
- PortSwigger Web Security Academy – IDOR