← Back to Insights

Access Control 7 min read

The Danger of IDOR

Insecure Direct Object References (IDOR) are simple to execute but devastating in impact. See how attackers exploit predictable IDs to access private data.

🧠 How it happens

Backend logic:

GET /api/user/123

System checks:
✔ User logged in

But misses:
❌ Is this THEIR data?

⚠️ Attack example

User A:

/api/profile/101

Attacker tries:

/api/profile/102

👉 Access granted → vulnerability

🔍 Types

Horizontal

Access same-level users

Vertical

Access admin resources (critical)

🚨 Real-world damage

Personal data leaks
Financial records exposure
Medical records compromise

🛡️ Fix (CRITICAL)

✔ Authorization check

if (request.user.id !== resource.ownerId) {
  deny();
}

✔ Backend validation only

❌ Never trust frontend checks

✔ Indirect IDs (optional)

UUID instead of 1,2,3
But NOT a replacement for auth

🎯 Key takeaway

👉 Login ≠ permission
👉 Always validate ownership

Try the Challenge

🚧

We're still building this platform. • Found an issue or have an idea? We'd love your feedback.