# Insecure Direct Object References (IDOR)

## **Introduction**

> * IDOR refers to the ability to interact directly with object by using a reference to their identifier
> * An example of IDOR is whenever a web application uses a guessable id value that can be directly modified by the user (e.g. an id in the URL)
> * As web applications store users' files and information, they may use sequential numbers or user IDs to identify each item.
> * IDOR can lead to accessing data that should not be accessible by attackers.
> * What makes this attack very common is essentially the lack of a solid access control system on the back-end.
> * IDOR *"becomes"* BROKEN ACCESS CONTROL whenever a user can access other objects which he doesn't have permissions for (e.g. other user's data or admin data)

***

## **Detecting potential IDOR Vulnerabilities**

1. Example: `GET` request with a specific reference to an object by using `?id=NUMBER`
2. Example: `POST` request with a specific reference (in its body) to an object by using `?id=NUMBER`
3. Example: `POST` request with specific user-permissions-related parameters such as `user role o permissions` or `"url":"/abc/data/users/1"`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.sfoffo.com/web-applications/web-attacks/insecure-direct-object-references-idor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.