adam's notes

❯

❯

Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference (IDOR)

A direct object reference is a reference to the actual name of a system object that the application uses.

If an attacker is able to manipulate a parameter that directly references an object,
- attacker can craft that parameter to grant access to other objects the attacker would normally be unauthorized to access
are typically insecure when they do not verify whether a user is authorized to access a specific object
- so implement access control techniques

Example

a call to an SQL database may request account information by directly referencing the acctname parameter

attacker may replace the acctname parameter with a different account name

would grant them access to that account if the object reference is insecure

attacker can arbitrarily change bob to alice

/webpage.php/order?acctname=bob → /webpage.php/order?acctname=alice

Graph View

Backlinks

Cloud Application Security
Cloud Application Threats
Understand Application Security and Attack Mitigation Best Practices

Created with Quartz v4.5.2 © 2026

CC BY-NC-SA
adamfurman.me