IDOR (Insecure Direct Object Reference)
The app exposes object IDs in URL or body without verifying user ownership.
Category: Web · OWASP Top 10 🎯 Trench — The app exposes object IDs in URL or body without verifying user ownership. You change?invoice=1042 to
?invoice=1043 and you see your neighbor’s invoice.
🔗 Kill chain — Prerequisite: valid user account. Next: mass
enumeration (scripted), PII exfiltration, modification of others’
objects, vertical escalation (?role=admin).
📡 Defensive footprint — Anomalous read endpoint volume from a
single user. Access to IDs not linked in their browsing history.
⚠️ False friend — Testing only +1 increments. Real IDs are
often predictable UUIDs, weak hashes, or decodable base64 tokens.
🛡️ Remediation — Always verify ownership in the backend.
The frontend hiding the button isn’t enough.
← Back to the full glossary Last updated: 2026-06-11