Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

IDOR

Premium room

Learn how to find and exploit IDOR vulnerabilities in a web application giving you access to data that you shouldn't have.

easy

30 min

174,193

User profile photo.

To access material, start machines and answer questions login.

Web applications rely on identifiers to distinguish one object from another. A user profile, an invoice, a support ticket, and a private document each have some kind of reference (often a number or a string) that the application uses internally to locate them. When an application allows the user to supply that reference and then retrieves the corresponding object without checking whether the user is permitted to access it, the result is an Insecure Direct Object Reference ().

is classified as an access control vulnerability. It sits within the Broken Access Control category at position one in the Top 10. The same underlying flaw appears in the Security Top 10 under the name Broken Object Level Authorisation (BOLA). The terminology differs depending on context, but the root cause is identical: the server does not verify that the authenticated user has permission to interact with the specific object they are requesting.

What makes significant is the gap between its simplicity and its impact. Exploiting the vulnerability often requires nothing more than changing a number in a URL or request body. There is no need for injection, no need for session hijacking, and no need for any specialised tooling. Yet the consequences can range from mass data disclosure to full account takeover, depending on what the vulnerable endpoint exposes.

In this room, we cover what vulnerabilities are, the different forms object references can take, where to look for them in a web application, and how to exploit them. The final task provides a practical exercise against a simulated target.

Learning Objectives

By the end of this room, you will be able to:

  • Explain what an vulnerability is and how it relates to broken access control
  • Identify the different forms object references can take, including plaintext, encoded, and hashed identifiers
  • Recognise the locations in a web application where vectors commonly appear
  • Exploit an vulnerability in a practical scenario to access another user's data
Answer the questions below
What does IDOR stand for?

We use cookies to ensure you get the best user experience. For more information see our cookie policy.