Web Security beginner 45 mins

Insecure Direct Object Reference

Learn how missing object-level authorization exposes other users' data.

Hands-on Labs
Real-world Scenarios
Immediate Feedback
1

Introduction to IDOR

theory

Learn why object IDs in URLs need authorization checks.

What is an Insecure Direct Object Reference?

Insecure Direct Object Reference (IDOR) happens when an application exposes an internal object identifier and trusts that identifier without checking whether the current user is allowed to access the object.

A common example is a profile route like /users/42. If user 17 can change the URL to /users/42 and read another user’s private profile, the application has an object-level authorization bug.

Why IDOR Happens

IDOR usually appears when code checks that a user is logged in, but does not check whether the requested record belongs to that user.

app.get('/profiles/:userId', requireLogin, (request, response) => {
    const profile = db.getUserProfile(request.params.userId);
    response.json(profile);
});

The route has authentication, but it does not have authorization for the specific profile object.

Secure Pattern

Load the object, compare its owner with the authenticated user, and reject access when they do not match.

Knowledge Check

What check is missing in a typical IDOR vulnerability?