SecurityInfinity
ScannersCVE FeedPricingBug BountyTraining
SecurityInfinity
ScannersCVE FeedPricingBug BountyTraining
Back to Overview
MEDIUM SEVERITYCWE-639: IDOR

Insecure Direct Object Reference

IDOR occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Common Attack Patterns

/api/users/123 -> /api/users/124
/invoices?id=100 -> /invoices?id=101
PUT /profile/123 (Change ID in URL)
GET /messages/123 (Try accessing other user's message)
POST /password_reset { 'user_id': 123 } -> 124

How to Prevent?

  • Implement proper access control checks for every object reference.
  • Use indirect references (like random tokens) instead of database IDs.
  • Validate that the current user owns the requested object.
  • Use GUIDs/UUIDs instead of sequential IDs to make enumeration harder.
SecurityInfinity

Architecting the future of autonomous cybersecurity intelligence for a safer digital world.

Product

ScannersPricingBug BountyDocumentation

Resources

ResearchCybersecurityCVE DatabaseBlog

Training

Learning PathsHands-on LabsVulnerability TypesTech Blog

Company

About UsContact UsCEO's BlogPrivacy Policy
© 2026 SecurityInfinity. All rights reserved.
TermsPrivacyCookies