Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference (IDOR) occurs when an application uses user-supplied input to directly access objects (like database records, files, or API resources) without verifying that the user is authorized to access them. For example, changing /api/users/123/profile to /api/users/124/profile might expose another user's profile data.

IDOR is a specific instance of broken access control and is extremely common in web applications, particularly in APIs. It affects any endpoint that references objects by ID — user profiles, orders, documents, messages, invoices, and more. The vulnerability is especially dangerous because it often exposes sensitive personal or financial data.

IDOR is difficult to detect with automated tools because it requires understanding the application's authorization model. A scanner needs to know that user A shouldn't be able to access user B's resources, which requires multi-user testing context.

How APVISO tests for this: APVISO's scanner agent systematically manipulates object identifiers (numeric IDs, UUIDs, slugs) across all discovered API endpoints. The lead agent coordinates multi-session testing to verify whether resources belonging to one user are accessible to another.