Insecure Direct Object Reference (IDOR) (CWE-639)



IDOR (Insecure Direct Object Reference) is the most common vulnerability found in web applications and APIs. This vulnerability occurs due to unvalidated user input.

Most web-application use IDs as a reference to objects. For example, the user has a user id, which is the primary key of that entity.

Example 1

Consider a website which has user registration and login feature. After successful registration or login, it displays a profile page which contains all profile details like name, email, photo, mobile number, social security number, etc.

When attacker change id to 110 URL becomes, and show Profile details of another user! As ID is sequential, an attacker can quickly get all profile details using a small script, like

#!/usr/bin/env python
import requests
url = ""
for i in range(1,110):
    response = requests.get(url+i)
    file = open(i+"_response.txt", "w")

This is a simple example of IDOR. There are many such cases where IDOR may exist.

Example 2

Let's say the website has an Update password page. After login, the user can update his password. Following HTTP Post request is sent to the server, when user clicks on update.

POST /app/customer/reset-password HTTP/1.1

Then, an attacker can change email to any user's mail and send a request as,

POST /app/customer/reset-password HTTP/1.1

Thus, IDOR may cause account takeover.


  • Account Takeover.
  • Access to very sensitive data.
  • View / Edit / Delete data from other users.
  • User can perform an action which is not for the user.


  • Use indirect reference maps
    • Instead of IDs, use a random alphanumeric string and map it to the actual object.
    • Store this mapping of reference to an object in a secure database at the server.
  • Implement Access Control policies.
  • Check User's Authentication and Authorization
    • Before serving each request, the Check given user is authenticated or not; if not, redirect to the login page.
    • Check whether the user requesting a particular object is authorized to do so.