IDOR (Insecure Direct Object Reference) vulnerabilities are among the most common and impactful API security issues. They occur when an application exposes internal implementation objects to users without proper authorization checks.
What is IDOR?
When you access a resource like /api/users/123/orders, the 123 is a direct object reference. If the application doesn't verify that you should have access to user 123's orders, that's an IDOR vulnerability.
Common Patterns
1. Sequential IDs
GET /api/invoices/1001
GET /api/invoices/1002 # Can I access someone else's invoice?
2. Predictable UUIDs
Some "random" UUIDs aren't random at all. Check if they follow patterns.
3. Parameter Pollution
GET /api/profile?user_id=123&user_id=456
Automated Testing
This is why I built IDOR-Scan - to automate the tedious process of swapping user contexts and comparing responses.
Prevention
- Always verify authorization server-side
- Use indirect references (mapped IDs)
- Implement proper access control checks
- Log and monitor access patterns