What is Insecure Direct Object Reference (IDOR)? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Insecure Direct Object Reference (IDOR)[Back to Glossary](/glossary)Insecure Direct Object Reference (IDOR)
=======================================

A vulnerability where an application exposes internal object identifiers without proper authorization, allowing access to other users' data.

vulnerabilityaccess controlAPI security

Insecure Direct Object Reference (IDOR) occurs when an application uses user-supplied input to directly access objects (like database records, files, or API resources) without verifying that the user is authorized to access them. For example, changing /api/users/123/profile to /api/users/124/profile might expose another user's profile data.

IDOR is a specific instance of broken access control and is extremely common in web applications, particularly in APIs. It affects any endpoint that references objects by ID — user profiles, orders, documents, messages, invoices, and more. The vulnerability is especially dangerous because it often exposes sensitive personal or financial data.

IDOR is difficult to detect with automated tools because it requires understanding the application's authorization model. A pentester needs to know that user A shouldn't be able to access user B's resources, which requires multi-user testing context.

How APVISO tests for this: APVISO's pentester agent systematically manipulates object identifiers (numeric IDs, UUIDs, slugs) across all discovered API endpoints. The lead agent coordinates multi-session testing to verify whether resources belonging to one user are accessible to another.

Related Terms
-------------

[Broken Access Control](/glossary/broken-access-control)[Privilege Escalation](/glossary/privilege-escalation)[OWASP Top 10](/glossary/owasp-top-10)

Test your applications for insecure direct object reference (idor) vulnerabilities
----------------------------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
