Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR) is a term used in information security. It happens when a web application doesn’t properly validate the user’s request to access a specific resource and instead of checking if the user is authorized to access it, it simply trusts the submitted data. This means that if a hacker modifies the code to get access to a restricted page that shouldn’t be available, the application won’t stop them.
For example, let’s say a website has a page that displays the user’s email address when they enter their ID number into a search box. If the website doesn’t check if the user is allowed to see the email address they are requesting, a hacker could change the ID number in the request and gain access to the email of another user without authorization.
To prevent IDOR attacks, it is important for web developers to validate every request made by users and make sure that each user only has access to the resources they are authorized to see.