Insecure Direct Object References (IDOR)

IDOR is an access-control flaw where changing an identifier in a request lets you read or modify objects that belong to other users.

IDORGenerate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

IDOR (a form of broken object-level authorization) occurs when an application exposes a direct reference to an object — a numeric id, UUID, or filename — and authorises the action based on that reference alone, without checking that the current user owns it.

How to test for it

Capture a request that references an object you own, then change the identifier to one belonging to another account and observe whether access is granted. Test every verb (read, update, delete) and look for predictable or leaked identifiers.

How to prevent it

Enforce object-level authorization on the server for every request — verify the authenticated user is allowed to act on the specific object. Use unguessable identifiers as defense in depth, never as the only control.

In-depth articles

IDOR Testing Methodology: Finding Insecure Direct Object References in Bug Bounty13 min read OWASP API Security Top 10: Testing and Exploitation Guide16 min read Broken Access Control Testing Guide: Vertical & Horizontal Privesc, Forced Browsing, and Method Tampering12 min read

Frequently asked questions

What's the difference between IDOR and BOLA?+

They describe the same root cause — missing per-object authorization. BOLA (Broken Object Level Authorization) is the API-focused name popularised by the OWASP API Security Top 10.

Do UUIDs prevent IDOR?+

No. Unguessable identifiers make enumeration harder but are not authorization. If the server doesn't check ownership, a leaked or shared UUID still grants access.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...