Real-world examples
API returns /api/invoice/5501 for your invoice — increment to 5502 for someone else's. Profile photo at /uploads/user_42.jpg — try user_43.jpg. GraphQL query with hardcoded object IDs.
Why IDOR is dangerous
Leads to mass data breaches, privacy violations, and regulatory fines (GDPR, DPDP Act). Often found in APIs where frontend hides IDs but backend does not enforce ownership.
Testing methodology
Map all endpoints with object references. Replace IDs with adjacent values. Test horizontal (same role, different user) and vertical (lower role accessing admin objects) escalation.
Fix
Server-side authorization check on every request: does authenticated user own this object? Never rely on obscurity of IDs.