Cyfotok Labs logo
CyfotokCyfotok Labs
DashboardPathsLabsLeaderboardPricingFor Colleges
Sign up
LoginSignup
  1. Home
  2. /
  3. Guides
  4. /
  5. What Is IDOR (Insecure Direct Object Reference)?
Cybersecurity BasicsEnglish

What Is IDOR (Insecure Direct Object Reference)?

IDOR occurs when an application exposes internal object references (user IDs, document IDs, order numbers) without verifying the requester owns that object. Changing ?user_id=123 to ?user_id=124 lets you read another user's data — a critical access control failure.

Published 1 June 2025Updated 1 June 2026

Real-world examples

API returns /api/invoice/5501 for your invoice — increment to 5502 for someone else's. Profile photo at /uploads/user_42.jpg — try user_43.jpg. GraphQL query with hardcoded object IDs.

Why IDOR is dangerous

Leads to mass data breaches, privacy violations, and regulatory fines (GDPR, DPDP Act). Often found in APIs where frontend hides IDs but backend does not enforce ownership.

Testing methodology

Map all endpoints with object references. Replace IDs with adjacent values. Test horizontal (same role, different user) and vertical (lower role accessing admin objects) escalation.

Fix

Server-side authorization check on every request: does authenticated user own this object? Never rely on obscurity of IDs.

Frequently asked questions

IDOR vs privilege escalation?
IDOR is accessing objects you should not see at your role level. Privilege escalation is gaining admin/higher role. Both are access control failures.

Related guides

  • OWASP Top 10 Explained for Beginners

    OWASP Top 10 explained simply: injection, broken auth, XSS, and more. Practice each risk category on Cyfotok Labs.

  • What Is CSRF (Cross-Site Request Forgery)?

    What is CSRF (Cross-Site Request Forgery)? Learn how attackers forge requests and practice CSRF labs on Cyfotok.

  • JWT Security Lab Guide

    JWT security lab guide: crack weak secrets, algorithm confusion, and token tampering on Cyfotok hands-on labs.

  • Bug Bounty for Beginners

    Bug bounty for beginners: legal scope, first vulnerabilities to learn, and lab practice before HackerOne. Start with Cyfotok OWASP labs.

Ready to practice?

Practice access control labs