An insecure direct object reference (IDOR) vulnerability occurs when an attacker can access or modify a reference to an object, such as a file, database record, account, and so on, that should be inaccessible to them. For example, let’s say the website www.<example>.com has private user profiles that should be accessible only to the profile owner through the URL www.<example>.com/user?id=1. The id parameter would determine which profile you’re viewing. If you can access someone else’s profile by changing the id parameter to 2, that would be an IDOR vulnerability.

Finding Simple IDORs

Some IDOR vulnerabilities ...

Get Real-World Bug Hunting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.