TL;DR
IDOR (Insecure Direct Object Reference) happens when you can access someone else's data just by changing an ID in the URL or request. If /api/invoices/123 shows your invoice and changing it to /api/invoices/124 shows another user's invoice, that's IDOR. Fix it by always verifying the current user owns the requested resource.
The Simple Explanation
Your app uses IDs to fetch resources. User 1 has document ID 100, User 2 has document ID 101. If User 1 can request document 101 and see User 2's private data, that's an IDOR vulnerability. The app checked authentication (who you are) but not authorization (what you can access).
Example Vulnerability
// BAD: No ownership check app.get('/api/documents/:id', async (req, res) => { const document = await db.documents.findById(req.params.id); res.json(document); // Anyone can access any document! });
// GOOD: Check ownership app.get('/api/documents/:id', async (req, res) => { const document = await db.documents.findById(req.params.id);
if (document.userId !== req.user.id) { return res.status(403).json({ error: 'Not authorized' }); }
res.json(document); });
Prevention Strategies
- Always check ownership: Verify user can access the resource
- Use indirect references: Map user-specific IDs to real IDs
- Implement RLS: Row Level Security in database
- Use UUIDs: Harder to guess than sequential IDs
- Scope queries: Filter by user ID in the query itself
// Better: Include user ID in the query const document = await db.documents.findOne({ id: req.params.id, userId: req.user.id // Only finds if user owns it });
How do I prevent IDOR vulnerabilities?
Always verify that the current user has permission to access the requested resource. Check ownership or permissions in your code, not just authentication. Use indirect references like UUIDs instead of sequential IDs. Implement proper authorization middleware that runs on every request.
Do UUIDs prevent IDOR?
UUIDs make IDOR harder because attackers cannot easily guess valid IDs. However, they do not prevent IDOR entirely. If an attacker learns a valid UUID (through a link, API response, or leak), they can still try to access it. You still need authorization checks.
What is the difference between IDOR and broken authorization?
IDOR is a type of broken authorization specifically involving direct object references. Broken authorization is the broader category that includes any failure to properly restrict access. IDOR typically involves changing IDs in URLs or request bodies to access other users' resources.