Kick start your mastery of Insecure Direct Object References with free learning resources
What is this vulnerability?
An insecure direct object reference vulnerability happens when an asset that should be protected can be directly referenced by an unauthorized user, skipping security mechanisms. This usually applies to user content created or uploaded into the system, and is closely related to the “Forceful Browsing” vulnerability.
Where does this vulnerability usually arise?
This vulnerability usually manifests when an input parameter is used to directly reference an object, file or other content but insufficient checks are performed to determine if the user is allowed to access the requested resource. For example, an ID value of an object may be accepted by the application and used to look up and display the data to the user. If the provided ID is not checked appropriately, it may be possible to guess valid IDs and access other users' data.