IDOR

Also known as insecure direct object reference (IDOR), this vulnerability can allow a user to access another user's data without authorization. An endpoint is vulnerable to broken object level authorization if it receives an object ID and performs an action on the object without sufficient validation. Malicious parties can exploit these endpoints by manipulating API calls, specifically the object ID within a request.

For example, consider the following request:

GET /api/employees/{employeeID}/info

An existing employee could change the employee ID from their own to someone else's to access their private information.

Last updated

Was this helpful?