Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application's URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.
IDOR vulnerabilities are among the most common and impactful bugs found in bug bounty programs. They typically appear in API endpoints that reference database objects by predictable IDs — user profiles, invoices, messages, or files. An attacker simply changes an ID parameter (e.g., /api/users/1234 to /api/users/1235) to access another user's data. The impact ranges from information disclosure to full account takeover, depending on the affected endpoint.
Common patterns include sequential integer IDs in REST APIs, UUID leakage through other endpoints, and GraphQL queries that expose object references without authorization checks. Prevention requires server-side access control on every request — never relying on obscurity of identifiers alone.
This page collects writeups, tutorials, and tools for finding and exploiting IDOR vulnerabilities, from basic parameter tampering to advanced techniques like BOLA (Broken Object Level Authorization) in modern APIs.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-10 NEW 2026 | IDOR - PortSwigger Web Security | IDOR - PortSwigger Web Security |
| 2026-04-10 NEW 2026 | IDOR - OWASP Foundation | IDOR - OWASP Foundation |
| 2026-04-10 NEW 2026 | Learn about IDOR - BugBountyHunter.com | Learn about IDOR - BugBountyHunter.com |
| 2026-04-10 NEW 2026 | How-To: Find IDOR Vulnerabilities for Large Bounty Rewards | How-To: Find IDOR Vulnerabilities for Large Bounty Rewards |
| 2026-04-10 NEW 2026 | Bug Bounty Hunting: Insecure Direct Object References | Bug Bounty Hunting: Insecure Direct Object References |
| 2026-04-10 NEW 2026 | How I Found Easy IDOR: Bug Bounty Writeup | How I Found Easy IDOR: Bug Bounty Writeup |
| 2026-04-10 NEW 2026 | HackerOne Report: IDOR Allows Viewing | HackerOne Report: IDOR Allows Viewing |
| 2026-04-10 NEW 2026 | CVE-2025-67274: Broken Access Control BOLA in aangine | CVE-2025-67274: Broken Access Control BOLA in aangine |
| 2026-04-10 NEW 2026 | CVE-2026-33312: BOLA in Vikunja Project | CVE-2026-33312: BOLA in Vikunja Project |
| 2026-04-10 NEW 2026 | IDOR Prevention Cheat Sheet | IDOR Prevention Cheat Sheet |
| 2026-04-10 NEW 2026 | IDOR Writeup TryHackMe | IDOR Writeup TryHackMe |
| 2026-04-10 NEW 2026 | What is IDOR? Complete Guide | What is IDOR? Complete Guide |
| 2026-04-10 NEW 2026 | IDOR - MDN Web Security | IDOR - MDN Web Security |
| 2026-04-10 NEW 2026 | Flowise IDOR & Business Logic Flaw (CVE-2025) | Flowise IDOR & Business Logic Flaw (CVE-2025) |
| 2026-04-10 NEW 2026 | Insecure Direct Object Reference (IDOR) - A Deep Dive | Insecure Direct Object Reference (IDOR) - A Deep Dive |
| 2026-04-06 2026 | Web Application Security Testing: A Step-by-Step Learning Guide | Web Application Security Testing: A Step-by-Step Learning Guide |
| 2026-04-06 2026 | CVE-2026-33030: Nginx UI Authorization Bypass | CVE-2026-33030: Nginx UI Authorization Bypass |
| 2026-04-06 2026 | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass |
| 2026-04-06 2026 | BugQuest 2026: 31 Days of Broken Access Control | BugQuest 2026: 31 Days of Broken Access Control |
| 2026-04-06 2026 | Nginx UI IDOR Allows Cross-User Resource Access | Nginx UI IDOR Allows Cross-User Resource Access |
| 2026-04-03 2026 | IDOR | HackTricks | IDOR | HackTricks |
| 2026-04-03 2026 | IDOR Attack Guide | Hackviser | IDOR Attack Guide | Hackviser |
| 2026-04-03 2026 | Real Bug Bounty Report: IDOR Used to Exploit a Banking Application | Real Bug Bounty Report: IDOR Used to Exploit a Banking Application |
| 2026-04-03 2026 | Reddit Bug Bounty: Exploiting an IDOR Vulnerability in Dubsmash's API | Reddit Bug Bounty: Exploiting an IDOR Vulnerability in Dubsmash's API |
| 2026-04-03 2026 | IDOR: The $1 Billion Authorization Bug | IDOR: The $1 Billion Authorization Bug |
| 2026-04-03 2026 | IDOR Vulnerability: Analysis, Impact, Mitigation | Huntress | IDOR Vulnerability: Analysis, Impact, Mitigation | Huntress |
| 2026-04-03 2026 | How to Find IDOR Vulnerabilities: The Bug Bounty Hunter's Practical Guide | How to Find IDOR Vulnerabilities: The Bug Bounty Hunter's Practical Guide |
| 2026-04-03 2026 | Insecure Direct Object References (IDOR) | Intigriti Hackademy | Insecure Direct Object References (IDOR) | Intigriti Hackademy |
| 2026-04-03 2026 | IDOR in 2025: Why Broken Access Control Still Rules the Vulnerability Charts | IDOR in 2025: Why Broken Access Control Still Rules the Vulnerability Charts |
| 2026-04-03 2026 | IDOR: A Complete Guide to Exploiting Advanced IDOR Vulnerabilities | Intigriti | IDOR: A Complete Guide to Exploiting Advanced IDOR Vulnerabilities | Intigriti |
| 2026-01-29 2026 | How I Made Burp Suite My IDOR-Finding Robot Butler (And Found 20+ Bugs) 🤖🔍 | The content titled "How I Made Burp Suite My IDOR-Finding Robot Butler (And Found 20+ Bugs)" likely discusses utilizing the Burp Suite tool to automate the discovery of Insecure Direct Object Reference (IDOR) vulnerabilities, leading to the identification of over 20 bugs. The author shares their experience and strategies for leveraging Burp Suite effectively in bug hunting. The content may provide insights into the process of using automation tools for security testing and the successful outcomes achieved through this approach. |
| 2026-01-19 2026 | TrinetLayer | TrinetLayer is a proven tool used by hackers for vulnerability research, real-world exploit payloads, and modern attack techniques. It is trusted within the hacking community for its effectiveness and reliability. |
| 2025-08-14 2025 | devanshbatham/Vulnerabilities-Unmasked | The content provided is a GitHub repository named "Vulnerabilities-Unmasked" created by a user named devanshbatham. The repository likely contains information or code related to vulnerabilities. However, without further details or access to the repository, it is not possible to provide a more detailed summary of its contents. |
| 2025-08-14 2025 | ??Roadmap to Cybersecurity in 2022, Full-Read SSRF, IDOR in GraphQL, GCP P | The content mentions a roadmap to cybersecurity in 2022, focusing on topics like Full-Read SSRF, IDOR in GraphQL, and GCP P. It suggests a plan or guide for enhancing cybersecurity practices in the upcoming year, highlighting specific areas of concern and potential vulnerabilities to address. The content seems to offer insights or strategies related to cybersecurity trends and challenges for the year ahead, including the importance of understanding SSRF, IDOR, and GCP security measures. |
| 2025-08-14 2025 | https://www.aon.com/cyber-solutions/aon_cyber_labs/finding-more-idors-tips-and-tricks/ | The content discusses tips and tricks for finding more Insecure Direct Object References (IDORs) in web applications. It emphasizes the importance of identifying and addressing IDOR vulnerabilities to enhance cybersecurity. The article provides insights into common IDOR scenarios, tools for detecting IDORs, and strategies for mitigating these risks. By understanding and proactively addressing IDOR vulnerabilities, organizations can strengthen their cybersecurity posture and protect sensitive data from unauthorized access. |
| 2025-08-14 2025 | Jobert Abma on Twitter: "Hacker tip: when you’re looking for IDORs in a mod | Jobert Abma shared a hacker tip on Twitter about finding IDORs in a mod. This tweet suggests that Jobert Abma is providing advice or guidance related to hacking techniques, specifically focusing on Insecure Direct Object References (IDORs) within a mod. The content is concise and implies that Jobert Abma may be sharing insights on exploiting security vulnerabilities in software or applications. |
| 2025-08-14 2025 | A Less Known Attack Vector, Second Order IDOR Attacks | The content discusses Second Order Insecure Direct Object Reference (IDOR) attacks, which are a lesser-known attack vector. These attacks involve exploiting vulnerabilities in an application's logic to manipulate indirect references to objects and access unauthorized data. Second Order IDOR attacks can be more complex and challenging to detect compared to traditional IDOR attacks. Understanding and mitigating these types of attacks are crucial for enhancing the security of web applications. |
| 2025-08-14 2025 | https://link.medium.com/uAVtDAbHy3 | I'm sorry, but I am unable to access external content such as the Medium link provided. If you can provide me with the main points or key ideas from the content, I would be happy to help summarize it for you. |
| 2025-08-14 2025 | https://link.medium.com/99Jx3wwTv3 | I'm unable to access external content such as the one you provided. If you can provide a brief overview or key points from the content, I'd be happy to help summarize it for you in 100 words or less. |
| 2025-08-14 2025 | Inf0rM@tion Disclosure via IDOR - Pratyush Anjan Sarangi - Medium | The content is titled "Inf0rM@tion Disclosure via IDOR" by Pratyush Anjan Sarangi on Medium. It likely discusses Information Disclosure through Insecure Direct Object References (IDOR) in web applications. This vulnerability allows unauthorized access to sensitive data by manipulating object references. The article may delve into the impact of IDOR on security and ways to prevent such disclosures. |
| 2025-08-14 2025 | cat ~/footstep.ninja/blog.txt | The command "cat ~/footstep.ninja/blog.txt" is used in a Unix-like operating system to display the contents of a specific file named "blog.txt" located in the directory "~/footstep.ninja". The "cat" command is commonly used to concatenate and display the contents of files. By running this command, the text within the "blog.txt" file will be displayed in the terminal window. |
| 2025-08-14 2025 | cat ~/footstep.ninja/blog.txt | The command "cat ~/footstep.ninja/blog.txt" is used in a Unix-like operating system to display the contents of a text file named "blog.txt" located in the "footstep.ninja" directory. The "cat" command is commonly used to concatenate and display the contents of files. By running this command, the text within the "blog.txt" file would be displayed in the terminal window. |
| 2025-08-14 2025 | Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Metho | The content suggests a concern that Airbnb may be involved in stealing earnings from hosts by adding unauthorized bank accounts or payment methods. This raises issues of potential fraud or unauthorized access to hosts' funds. It highlights a possible risk for Airbnb hosts who rely on the platform for income. |
| 2025-08-14 2025 | HTTP Request Smuggling IDOR - Hipotermia | The content appears to be about a potential security vulnerability known as HTTP Request Smuggling IDOR (Insecure Direct Object Reference) with the code name "Hipotermia." This vulnerability could allow attackers to manipulate HTTP requests to access unauthorized resources or perform malicious actions. It is essential for web developers and security professionals to be aware of such vulnerabilities to prevent exploitation and protect sensitive data. |
| 2025-08-14 2025 | cat ~/footstep.ninja/blog.txt | The command "cat ~/footstep.ninja/blog.txt" is used in a Unix-like operating system to display the contents of a text file named "blog.txt" located in the "footstep.ninja" directory. The "cat" command is commonly used to concatenate and display the contents of files. By running this command, the text within the specified file will be printed in the terminal window. |
| 2025-08-14 2025 | Stories Of IDOR-Part 2 - InfoSec Write-ups - Medium | The content seems to be a continuation of a series called "Stories Of IDOR" focusing on cybersecurity write-ups. It is likely published on the Medium platform. The content may delve into stories related to Insecure Direct Object References (IDOR) in the realm of information security. This series could provide insights, analysis, and possibly solutions related to IDOR vulnerabilities. |
| 2025-08-14 2025 | How I could delete Facebook Ask for Recommendations post’s place objects in | The content discusses how to delete the location tags associated with Facebook Ask for Recommendations posts. It focuses on removing the specific place objects that are linked to these posts. |
| 2025-08-14 2025 | Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE) | The content appears to discuss chaining multiple Insecure Direct Object References (IDORs) to execute an Account Takeover attack. This process involves exploiting vulnerabilities in the way user permissions are handled to gain unauthorized access to user accounts. The title suggests that this is part one of a series of articles or guides on this topic. |
| 2025-08-14 2025 | https://link.medium.com/ReIPZNYhm0 | I'm unable to access external content. If you provide me with the key points or main ideas from the content, I can certainly help summarize it for you in 100 words or less. |
| 2023-09-22 2023 | IDOR - how to predict an identifier? Bug bounty case study | The content discusses IDOR (Insecure Direct Object Reference) vulnerability in bug bounty programs, focusing on predicting identifiers to exploit this flaw. The video likely provides a case study demonstrating how this vulnerability can be leveraged for unauthorized access. It is essential for security professionals and bug bounty hunters to understand and address IDOR vulnerabilities to protect systems and data. |
| 2021-02-13 2021 | Finding more IDORs – Tips and Tricks | Aon | The content provides a compilation of helpful tips, tricks, and techniques aimed at uncovering Insecure Direct Object References (IDORs). It offers guidance on how to identify and exploit these vulnerabilities effectively. |
| 2021-01-24 2021 | All About IDOR Attacks | IDOR attacks involve exploiting vulnerabilities in systems that allow attackers to access data they are not authorized to view. Insecure Direct Object References occur when an application exposes internal implementation objects, such as files or database records, to users without proper authentication. Attackers can manipulate parameters to access sensitive information or perform unauthorized actions. Preventing IDOR attacks requires implementing proper access controls, validating user input, and ensuring that sensitive data is not exposed directly. Understanding how IDOR attacks work is crucial for organizations to protect their data and systems from unauthorized access and potential breaches. |
| 2020-01-13 2020 | GraphQL IDOR leads to information disclosure - Eshan Singh - Medium | Eshan Singh, also known as R0X4R, discusses a recent discovery related to GraphQL IDOR (Insecure Direct Object Reference) leading to information disclosure. Singh shares insights and details about this vulnerability in the Medium article. |
| 2020-01-13 2020 | cat ~/footstep.ninja/blog.txt | The content seems to be the title of a command that suggests viewing a file named "blog.txt" located in the "~/footstep.ninja" directory. The title "The HTML5 Herald" could indicate that the content of the file may be related to HTML5 technology or news. |
| 2020-01-13 2020 | cat ~/footstep.ninja/blog.txt | The content is titled "The HTML5 Herald" and is likely found in a file named "blog.txt" within the "footstep.ninja" directory. It suggests that the content inside the file may be related to HTML5 technology or news. |
| 2020-01-13 2020 | cat ~/footstep.ninja/blog.txt | The content is a command line prompt to view a file named "blog.txt" located in the "footstep.ninja" directory. The title of the file is "The HTML5 Herald." |
Frequently Asked Questions
- What is an IDOR vulnerability?
- IDOR (Insecure Direct Object Reference) is a type of access control vulnerability where an application exposes internal object references — such as database IDs, filenames, or user identifiers — without proper authorization checks. An attacker can manipulate these references to access other users' data.
- How do you find IDOR vulnerabilities?
- To find IDORs, look for predictable identifiers in API endpoints, URL parameters, and request bodies. Change IDs (numeric, UUID, or encoded values) to those belonging to other users and observe whether the application returns unauthorized data. Testing with two accounts simultaneously is the most effective approach.
- What is the difference between IDOR and BOLA?
- BOLA (Broken Object Level Authorization) is the API-specific term for IDOR, used in the OWASP API Security Top 10. Both describe the same core issue: missing authorization checks when accessing objects by reference. BOLA is the preferred term when discussing API security.
Weekly AppSec Digest
Get new resources delivered every Monday.