{ "slug": "idor", "term": "Insecure Direct Object Reference (IDOR)", "category": "security", "difficulty": "intermediate", "short": "A user accesses another user's data by changing an ID in a URL or request — no authorisation check performed.", "long": "IDOR occurs when an application exposes internal object identifiers (database IDs, filenames) directly in requests and does not verify that the requesting user is authorised to access that object. Example: /invoice?id=1234 — incrementing the ID to 1235 returns another user's invoice. Prevention: always verify that the authenticated user owns or has permission to access the requested resource, server-side, on every request.", "aliases": [ "Insecure Direct Object Reference", "object reference vulnerability" ], "tags": [ "authorisation", "owasp-top10", "cwe-639", "access-control" ], "misconception": "Using UUIDs instead of sequential IDs prevents IDOR. UUIDs prevent guessing but not IDOR — if authorisation checks are missing, an attacker who obtains any valid UUID can still access it freely.", "why_it_matters": "IDOR lets attackers access any user's data by simply changing an ID in the URL or request body. It is one of the most common API vulnerabilities because it is invisible to automated scanners and requires no special tools to exploit.", "common_mistakes": [ "Assuming sequential IDs are \"hard to guess\" — automated tools enumerate thousands of IDs per second.", "Checking authentication but not ownership — verifying a user is logged in does not verify they own the resource.", "Using UUIDs and believing that makes IDOR impossible — obscurity without authorisation checks is not security.", "Only protecting read endpoints and forgetting update and delete routes." ], "when_to_use": [], "avoid_when": [], "related": [ "privilege_escalation", "mass_assignment", "session" ], "prerequisites": [ "broken_access_control", "session", "principle_of_least_privilege" ], "refs": [ "https://owasp.org/www-community/attacks/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet", "https://cwe.mitre.org/data/definitions/639.html" ], "bad_code": "// No ownership check — any user can view any order\npublic function show(int \\$orderId): JsonResponse {\n return response()->json(Order::findOrFail(\\$orderId));\n}", "good_code": "public function show(int \\$orderId): JsonResponse {\n \\$order = Order::findOrFail(\\$orderId);\n\n // Enforce ownership — compare to authenticated user\n if (\\$order->user_id !== auth()->id()) {\n abort(403); // Forbidden — not just 404\n }\n\n return response()->json(\\$order);\n}\n\n// Or scope query to current user (prevents the object being fetched at all)\n\\$order = auth()->user()->orders()->findOrFail(\\$orderId);", "quick_fix": "After loading a resource by ID, always check: $resource->user_id === auth()->id() — never trust that the ID alone grants access", "severity": "high", "effort": "low", "created": "2026-03-13", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/idor", "html_url": "https://codeclaritylab.com/glossary/idor", "json_url": "https://codeclaritylab.com/glossary/idor.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Insecure Direct Object Reference (IDOR)](https://codeclaritylab.com/glossary/idor) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/idor" } } } }