OWASP Top 10
A01-Broken Access Control 0/1 IDOR: The Most Common Access Control Attack 0/1
← OWASP Top 10

IDOR: The Most Common Access Control Attack

Task 1
IDOR: The Most Common Access Control Attack

IDOR stands for Insecure Direct Object Reference.

The name sounds technical but the idea is extremely simple. Let me show you with a story.

You just bought something online. The order confirmation page URL in your browser looks like this:

https://shoppingsite.com/orders?order_id=10245

You get curious. You change 10245 to 10244 and press Enter.

The page loads. You are now looking at someone else's order. Their full name, their delivery address, their phone number, what they ordered everything is visible to you.

That is IDOR. The application checked "is this user logged in?" yes. But it never checked "does this order actually belong to this user?" — that check was missing.

Why do developers make this mistake?

When building a feature quickly, developers write: "When a user requests order ID 10245, fetch order 10245 from the database and show it." Simple logic. But they forgot to add one extra condition: "AND make sure this order belongs to the currently logged in user."

That one missing condition exposes every single user's order to every other user.

Three Types of IDOR:

URL-based IDOR :The ID is visible directly in the URL like the example above. This is the most common and easiest to find. Anyone can see and modify the URL.

Body-based IDOR :The ID is hidden inside the request body or JSON data. You cannot see it just by looking at the URL. You need a tool like Burp Suite to intercept and modify the request.

Cookie-based IDOR :The ID is stored inside a cookie. When the application reads the user ID from the cookie and trusts it completely without server-side validation, an attacker can modify the cookie value to impersonate another user.

Real World Case :Facebook 2015:

A security researcher named Laxman Muthiyah discovered that Facebook's API had an IDOR vulnerability. By changing object IDs in certain API requests, he could delete any photo album belonging to any Facebook user in the world — without being their friend, without knowing them, without any connection to them at all.

He reported it responsibly to Facebook. They paid him $12,500 as a bug bounty reward. If a malicious attacker had found this first, millions of people's photos could have been permanently deleted.

Answer the following:

What does IDOR stand for?