Insecure_direct_object_reference
Insecure direct object reference
Type of access control vulnerability in digital security
Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security.[1]
This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request URL sent to a web site directly uses an easily enumerated unique identifier (such as http://foo.com/doc/1234
), that can provide an exploit for unintended access to all records.
A directory traversal attack is considered a special case of a IDOR.[2]
The vulnerability is of such significant concern that for many years it was listed as one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities.[3]