IDOR occurs when an application exposes internal implementation objects (like database IDs) and fails to verify that users are authorized to access the referenced resource.
Insecure Direct Object References (IDOR) is an access control vulnerability where an application uses user-supplied input to directly access objects (like database records, files, or API resources) without verifying the user's authorization to access that specific object. The vulnerability occurs when internal identifiers such as database IDs, filenames, or sequential numbers are exposed in URLs, form fields, or API parameters.
For example, if a user can view their invoice at `/api/invoices/1234` and simply changing the ID to `/api/invoices/1235` reveals another user's invoice, that is an IDOR vulnerability. The application checked that the user was authenticated but failed to verify that the specific invoice belongs to that user.
IDOR vulnerabilities can expose sensitive data belonging to other users, including personal information, financial records, private messages, and documents. Because IDOR exploits are simple (often just changing a number in a URL), they are frequently discovered by unsophisticated attackers or automated scanners. The impact scales with the sensitivity of the exposed data and the number of affected records. In multi-tenant SaaS applications, IDOR can allow one customer to access another customer's data, leading to severe trust and compliance issues. IDOR was a factor in several major data breaches, including the 2019 First American Financial breach that exposed 885 million records.
Implement proper authorization checks for every data access operation. Never rely solely on authentication -- verify that the authenticated user has permission to access the specific requested resource. In database queries, always filter by the current user's ID or organization (e.g., `WHERE user_id = :currentUser AND id = :requestedId`). Use Supabase Row Level Security (RLS) policies or similar database-level access controls. Replace sequential IDs with UUIDs in public-facing interfaces to reduce enumeration risk (but still verify authorization). Implement access control at the service layer, not just the controller layer. Conduct authorization testing as part of your security review process.
Select your framework for a detailed guide on fixing Insecure Direct Object References (IDOR) with framework-specific code examples and security checklists.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, data theft, and defacement.
SQL Injection
SQL Injection allows attackers to interfere with database queries, potentially reading, modifying, or deleting data, and in some cases executing system commands.
Cross-Site Request Forgery (CSRF)
CSRF forces authenticated users to execute unwanted actions on a web application, exploiting the trust a site has in a user's browser.
Broken Authentication
Broken authentication encompasses weaknesses in session management, credential handling, and identity verification that allow attackers to compromise user accounts.
Security Misconfiguration
Security misconfiguration encompasses insecure default settings, open cloud storage, verbose error messages, unnecessary features, and missing security headers.
Sensitive Data Exposure
Sensitive data exposure occurs when applications fail to adequately protect sensitive information like credentials, tokens, personal data, or financial information.
Missing Rate Limiting
Missing rate limiting allows attackers to perform brute force attacks, credential stuffing, API abuse, and denial of service by making unlimited requests.
JWT Vulnerabilities
JWT vulnerabilities include algorithm confusion, missing validation, token leakage, and improper key management that can lead to authentication bypass.
Path Traversal
Path traversal allows attackers to access files and directories stored outside the intended directory by manipulating file path references.
Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the server through vulnerable application interfaces.
Server-Side Request Forgery (SSRF)
SSRF allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services, metadata APIs, and private networks.
File Upload Vulnerabilities
Insecure file upload handling can allow attackers to upload malicious files including web shells, malware, or files that exploit server-side processing.
Insecure Deserialization
Insecure deserialization allows attackers to manipulate serialized objects to achieve remote code execution, replay attacks, injection, or privilege escalation.
Row Level Security (RLS) Bypass
RLS bypass vulnerabilities occur when database-level access policies are missing, misconfigured, or can be circumvented, exposing data across tenant boundaries.
SafeVibe runs automated penetration tests to detect Insecure Direct Object References (IDOR) and 14 other vulnerability types in your application.
Start Free Scan