What is IDOR (Insecure Direct Object Reference)?

A classic authorization bug where internal object identifiers are exposed client-side and used without ownership verification.

Full explanation

IDOR is BOLA by an older name. Both describe the same class of vulnerability: an application that relies on obscurity or client-side controls to prevent unauthorized access to objects referenced by their IDs. The defense is the same — re-authorize every object access server-side.

Example

A PDF download link of the form `/download?file=invoice_42.pdf`. The attacker changes 42 to 43 and downloads another customer's invoice.

Guide

Insecure Direct Object Reference (IDOR) — what it is and how to prevent it

Guide

Broken Object-Level Authorization (BOLA) in Next.js apps

FAQ

Is IDOR still relevant?

Yes. It is in the top three most-common vulnerabilities in AI-generated code.

What is IDOR (Insecure Direct Object Reference)?

Full explanation

Example

Related

FAQ