Insecure direct object reference occurs when a software uses a user-provided reference key without properly checking permissions. For example, a system that directly reads an “account id” reference from a logged-on user, without making sure that the user is allowed to access the specified account, will be vulnerable to IDOR. Common methods to avoid such issues include implementing authorization checks, or mapping the reference keys (per session, or per user, on the server side), so that the keys used by the user represent a temporary indirect reference.

Related Terms

Application Security Posture Management

AppSec, but so much

Reclaim AppSec