Insecure direct object references (IDOR)


Category: Broken Access Control

Severity: High


Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.


  • Unauthorized Data Access

  • Account Takeover

  • Information Disclosure


Access control vulnerabilities can be prevented by taking a defense-in-depth approach and applying the following principles:

  • Never rely on obfuscation alone for access control.

  • Unless a resource is intended to be publicly accessible, deny access by default.

  • Wherever possible, use a single application-wide mechanism for enforcing access controls.

  • At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.

  • Thoroughly audit and test access controls to ensure they work as designed.


Last updated