What is Insecure Direct Object Reference?

A vulnerability that occurs when an application exposes an internal implementation object — such as a database record ID, filename, or account number — without verifying that the requesting user is authorized to access it. By guessing or incrementing object references in API calls or URL parameters, attackers can read, modify, or delete other users' data. IDOR is one of the most prevalent and impactful vulnerabilities in modern web applications and REST APIs.

Related terms