Skip to main content

IDOR (Insecure Direct Object Reference)

The app exposes object IDs in URL or body without verifying user ownership.

Category: Web · OWASP Top 10 🎯 Trench — The app exposes object IDs in URL or body without verifying user ownership. You change ?invoice=1042 to ?invoice=1043 and you see your neighbor’s invoice. 🔗 Kill chain — Prerequisite: valid user account. Next: mass enumeration (scripted), PII exfiltration, modification of others’ objects, vertical escalation (?role=admin). 📡 Defensive footprint — Anomalous read endpoint volume from a single user. Access to IDs not linked in their browsing history. ⚠️ False friend — Testing only +1 increments. Real IDs are often predictable UUIDs, weak hashes, or decodable base64 tokens. 🛡️ RemediationAlways verify ownership in the backend. The frontend hiding the button isn’t enough.

Back to the full glossary Last updated: 2026-06-11