[{"data":1,"prerenderedAt":186},["ShallowReactive",2],{"blog-glossary/idor":3},{"id":4,"title":5,"body":6,"category":162,"date":163,"dateModified":163,"description":164,"draft":165,"extension":166,"faq":167,"featured":165,"headerVariant":171,"image":172,"keywords":172,"meta":173,"navigation":174,"ogDescription":175,"ogTitle":172,"path":176,"readTime":177,"schemaOrg":178,"schemaType":179,"seo":180,"sitemap":181,"stem":182,"tags":183,"twitterCard":184,"__hash__":185},"blog/blog/glossary/idor.md","What is IDOR? Insecure Direct Object Reference",{"type":7,"value":8,"toc":154},"minimark",[9,25,30,33,37,44,56,60,95,101,123,142],[10,11,12],"tldr",{},[13,14,15,16,20,21,24],"p",{},"IDOR (Insecure Direct Object Reference) happens when you can access someone else's data just by changing an ID in the URL or request. If ",[17,18,19],"code",{},"/api/invoices/123"," shows your invoice and changing it to ",[17,22,23],{},"/api/invoices/124"," shows another user's invoice, that's IDOR. Fix it by always verifying the current user owns the requested resource.",[26,27,29],"h2",{"id":28},"the-simple-explanation","The Simple Explanation",[13,31,32],{},"Your app uses IDs to fetch resources. User 1 has document ID 100, User 2 has document ID 101. If User 1 can request document 101 and see User 2's private data, that's an IDOR vulnerability. The app checked authentication (who you are) but not authorization (what you can access).",[26,34,36],{"id":35},"example-vulnerability","Example Vulnerability",[38,39,41],"prompt-box",{"title":40},"Vulnerable code",[13,42,43],{},"// BAD: No ownership check\napp.get('/api/documents/:id', async (req, res) => {\nconst document = await db.documents.findById(req.params.id);\nres.json(document); // Anyone can access any document!\n});",[38,45,47,50,53],{"title":46},"Fixed code",[13,48,49],{},"// GOOD: Check ownership\napp.get('/api/documents/:id', async (req, res) => {\nconst document = await db.documents.findById(req.params.id);",[13,51,52],{},"if (document.userId !== req.user.id) {\nreturn res.status(403).json({ error: 'Not authorized' });\n}",[13,54,55],{},"res.json(document);\n});",[26,57,59],{"id":58},"prevention-strategies","Prevention Strategies",[61,62,63,71,77,83,89],"ul",{},[64,65,66,70],"li",{},[67,68,69],"strong",{},"Always check ownership:"," Verify user can access the resource",[64,72,73,76],{},[67,74,75],{},"Use indirect references:"," Map user-specific IDs to real IDs",[64,78,79,82],{},[67,80,81],{},"Implement RLS:"," Row Level Security in database",[64,84,85,88],{},[67,86,87],{},"Use UUIDs:"," Harder to guess than sequential IDs",[64,90,91,94],{},[67,92,93],{},"Scope queries:"," Filter by user ID in the query itself",[38,96,98],{"title":97},"Scoped query approach",[13,99,100],{},"// Better: Include user ID in the query\nconst document = await db.documents.findOne({\nid: req.params.id,\nuserId: req.user.id  // Only finds if user owns it\n});",[102,103,104,111,117],"faq-section",{},[105,106,108],"faq-item",{"question":107},"How do I prevent IDOR vulnerabilities?",[13,109,110],{},"Always verify that the current user has permission to access the requested resource. Check ownership or permissions in your code, not just authentication. Use indirect references like UUIDs instead of sequential IDs. Implement proper authorization middleware that runs on every request.",[105,112,114],{"question":113},"Do UUIDs prevent IDOR?",[13,115,116],{},"UUIDs make IDOR harder because attackers cannot easily guess valid IDs. However, they do not prevent IDOR entirely. If an attacker learns a valid UUID (through a link, API response, or leak), they can still try to access it. You still need authorization checks.",[105,118,120],{"question":119},"What is the difference between IDOR and broken authorization?",[13,121,122],{},"IDOR is a type of broken authorization specifically involving direct object references. Broken authorization is the broader category that includes any failure to properly restrict access. IDOR typically involves changing IDs in URLs or request bodies to access other users' resources.",[124,125,126,132,137],"related-articles",{},[127,128],"related-card",{"description":129,"href":130,"title":131},"What IDOR bypasses","/blog/glossary/authorization","Authorization",[127,133],{"description":134,"href":135,"title":136},"Database-level protection","/blog/glossary/rls","Row Level Security",[127,138],{"description":139,"href":140,"title":141},"Not enough without authz","/blog/glossary/authentication","Authentication",[143,144,147,151],"cta-box",{"href":145,"label":146},"/","Start Free Scan",[26,148,150],{"id":149},"find-idor-vulnerabilities","Find IDOR Vulnerabilities",[13,152,153],{},"Scan your app for authorization issues and IDOR.",{"title":155,"searchDepth":156,"depth":156,"links":157},"",2,[158,159,160,161],{"id":28,"depth":156,"text":29},{"id":35,"depth":156,"text":36},{"id":58,"depth":156,"text":59},{"id":149,"depth":156,"text":150},"glossary","2026-01-08","Learn what IDOR vulnerabilities are, how attackers exploit them, and how to prevent unauthorized data access in your app.",false,"md",[168,169,170],{"question":107,"answer":110},{"question":113,"answer":116},{"question":119,"answer":122},"green",null,{},true,"IDOR lets attackers access other users' data by changing IDs. Learn how to prevent it.","/blog/glossary/idor","4 min read","[object Object]","DefinedTerm",{"title":5,"description":164},{"loc":176},"blog/glossary/idor",[],"summary_large_image","vZJCDr1OORm8vjX4pKMeTXr4cIjNQtuw0zNH2si_-qg",1775843922627]