Insecure Direct Object Reference

What is IDOR?

IDOR stands for “Insecure Direct Object Reference”. And despite the intimidating name, IDOR is actually a very simple vulnerability to understand. Essentially, just remember this: IDOR is missing access control.

How to Find IDOR Vulnerability?

To find IDOR Vulnerability you need to first understand the application logic and flow and then try to find loopholes in that logic, also keep an eye out for different requests and if they are taking any kind of id, etc to identify a certain process uniquely.

  1. For example there is some chat functionality being used and to send a message you are a separate id provided now if an attacker gets that id, he can message from your side without any user interaction.
  2. For example, to check out a support request created a support id is given through which the application uniquely identifies the request and shows it, now if it is numeric that is sequential, an attacker can view all the support requests just by changing the number.

What are Different Types of IDOR?

There are many different types of IDOR some main are:

  1. Blind IDOR: The type of IDOR in which the results of the exploitation cannot be seen in the server response. For example modifying other users’ private data without accessing it.
  2. Generic IDOR: The type of IDOR in which the results of the exploitation can be seen in the server response. For example accessing confidential data or files belonging to another user.
  3. IDOR with Reference to Objects: Used to access or modify an unauthorized object. For example accessing bank account information of other users by sending such a request →{reference ID}
  4. IDOR with Reference to Files: Used to access an unauthorized file. For example a live chat server stores the confidential conversations in files with names as incrementing numbers and any conversation can be retrieved by just sending requests like this →,, and so on.

What is the Severity of IDOR Vulnerability?

IDOR is a very interesting vulnerability and each different case had different severity based on the impact or damage it is causing.

  1. Sequential/Numeric IDs: If the IDs are guessable and sequential, the attacker doesn’t have to do any user interaction to know the exact ID, he can just guess it hence “No User Interaction” Increases the severity. On other hand there are cases where the IDs are very random to know the exact ID. There will be some user interaction, hence in such cases the severity will be reduced due to “User Interaction”.
  2. Privileges Acquired by the IDOR: While exploiting this vulnerability the impact also depends on the privileges gathered like if you can only see the content or change it or delete it, hence in such cases severity increases respectively.

How to Mitigate IDOR Vulnerabilities?

● First, you should control all normal, ajax and API requests when creating an app. For example, can a read-only user write anything in an app? Or can non-admin users access and create API tokens that are only created by admin users? So, to test all of the IDOR vulnerabilities, you should think like a hacker.

Profile Links:




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajit Sindhkar

Prajit Sindhkar


I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community