Insecure Direct Object Reference, more commonly known as IDOR, is a permission-based vulnerability which allows an attacker to access or modify resources belonging to other users of the web application, or rather resources which are not allowed to be controlled by the attacker. The basic fundamental behind IDOR is that an endpoint of a web application tries to display or modify some resource such as a message, image, or file using a user-supplied (or user-controlled) identifier in the request but doesn't check whether the user has enough permission to accomplish the task.

IDOR is not a new vulnerability but I purposely included this section because of the severity or impact of it. Another reason is that XSS and ...