IDOR

Insecure Direct Object Reference (IDOR) is an access control vulnerability where an application exposes internal object references (like database IDs) without verifying that the requesting user is authorized to access that object. An attacker can simply change a parameter (e.g., /invoice?id=1234 to /invoice?id=1235) to access another user's data. IDOR is classified under Broken Access Control in the OWASP Top 10. Fix requires server-side authorization checks on every sensitive request.

Why it matters for your website

• 1Listed in the OWASP Top 10 — one of the most critical web risks
• 2Can lead to data exfiltration, account takeover, or full system compromise
• 3Required to fix before passing security reviews for enterprise customers