Insecure Direct Object References
• Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web
application developer uses an identifier for direct access to an internal implementation object but
provides no additional access control and/or authorization checks. For example, an IDOR
vulnerability would happen if the URL of a transaction could be changed through client-side user
input to show unauthorized data of another transaction.
• Most web applications use simple IDs to reference objects. For example, a user in a database will
usually be referred to via the user ID. The same user ID is the primary key to the database column
containing user information and is generated automatically. The database key generation algorithm
is very simple: it usually uses the next available integer. The same database ID generation
mechanisms are used for all other types of database records.
• https://www.acunetix.com/blog/web-security-zone/what-are-insecure-direct-object-references/