IDOR Cheat Sheet

IDOR occurs when object access is based on user input without verifying authorization for that specific object.

Detection Clues

URLs with predictable object IDs
Missing server-side ownership checks
Access changes when ID changes only

Prevention

Check authorization at object level every request
Use RBAC/ABAC with deny-by-default policy
Log and alert on suspicious object access attempts

Copy-Ready Safe Test Case Pattern

GET /api/orders/{your_own_order_id}
Expected: 200 (authorized)

GET /api/orders/{different_user_order_id}
Expected: 403 (forbidden)

Real-Life Bug Pattern (Sanitized)

A billing dashboard relied on numeric invoice IDs in the URL and forgot object ownership checks in one endpoint. Users could read other customer invoices.

Always enforce object ownership server-side
Audit all CRUD endpoints, not just read endpoints
Log access-denied events to detect probing activity