R·D Intel

What is IDOR? (Insecure Direct Object Reference) — With Simple Examples | by Riya Limba - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original What is IDOR? (Insecure Direct Object Reference) — With Simple Examples IDOR (Insecure Direct Object Reference) is a common web security vulnerability that happens when an application exposes internal object… Riya Limba Follow ~4 min read · April 6, 2026 (Updated: April 6, 2026) · Free: Yes IDOR (Insecure Direct Object Reference) is a common web security vulnerability that happens when an application exposes internal object references (like user IDs, file IDs, order IDs) without proper authorization checks . This allows attackers to access or modify data that does not belong to them just by changing the ID in the request. IDOR is part of Broken Access Control , which is ranked as one of the most critical risks in modern web applications. Simple Definition IDOR occurs when a user can access another user's data by changing an ID in the URL, request, or API without proper permission checks. How IDOR Works Most web apps use IDs to fetch data: User ID Order ID Document ID File ID Example request: https://example.com/profile?user_id=123 If the application does not verify whether the logged-in user owns user_id=123 , an attacker can change it: https://example.com/profile?user_id=124 Now attacker can see someone else's profile → This is IDOR. Example 1 — Profile IDOR User logs in and opens their profile: GET /account?id=1001 Server returns: Name: Riya Email: [email protected] Attacker changes ID: GET /account?id=1002 Server returns: Name: Rahul Email: [email protected] 🚨 This means no authorization check → IDOR vulnerability. Example 2 — File Download IDOR Application allows users to download invoices: https://example.com/download?invoice=5501 Attacker changes: https://example.com/download?invoice=5502 If another user's invoice downloads → Sensitive data exposure . Example 3 — API IDOR API request: GET /api/user/2001 Response: { "name": "Riya", "email": "[email protected]" } Attacker tries: GET /api/user/2002 If response returns another user → API IDOR vulnerability Types of IDOR 1. URL Based IDOR Changing IDs in URL /profile?id=123 2. POST Request IDOR Changing ID in request body user_id=123 3. API IDOR Changing API endpoint ID /api/orders/500 4. File IDOR Accessing files by changing file ID /download?file=report1.pdf Why IDOR is Dangerous IDOR can lead to: Unauthorized data access Account takeover Personal data leak Financial information exposure Admin panel access Data modification Severity depends on what data is exposed. How Attackers Find IDOR Common testing steps: Login to application Capture request (Burp Suite) Look for IDs: user_id account_id order_id file_id 6. Change ID value 7. Send request 8. Check response If response changes → Possible IDOR. Example Test Using Burp Suite Original request: GET /api/orders/101 Change to: GET /api/orders/102 If another user's order appears → IDOR confirmed IDOR vs Authentication vs Authorization Authentication → Who you are Authorization → What you can access IDOR happens when: Authentication exists ✅ Authorization missing ❌ User is logged in but can access other users' data. How Developers Can Fix IDOR Best practices: 1. Proper Authorization Check Verify user owns the resource Wrong: SELECT * FROM users WHERE id = 123 Correct: SELECT * FROM users WHERE id = 123 AND user_id = logged_in_user 2. Use Random IDs (UUID) Instead of: /user/1001 Use: /user/8f3a9c-22aa-44b Harder to guess. 3. Access Control Middleware Check permissions before returning data. 4. Do Not Trust User Input Always validate server-side. Real World Example Scenario Banking app: /transfer?account=9001 Attacker changes: /transfer?account=9002 If attacker can view or transfer funds → Critical IDOR vulnerability IDOR Testing Checklist Look for: user_id id uid account profile order invoice file document download Test by: Incrementing IDs (1001 → 1002) Decrementing IDs (1001 → 1000) Trying random IDs Switching users Conclusion IDOR is a high-impact vulnerability caused by missing authorization checks. It allows attackers to access sensitive data simply by changing IDs in requests. Proper access control, validation, and secure object references are essential to prevent IDOR vulnerabilities. Understanding and testing for IDOR is an important skill for bug bounty hunters, penetration testers, and cybersecurity beginners . #cybersecurity #bug-bounty #ethical-hacking #web-security #osint Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).