> For the complete documentation index, see [llms.txt](https://moharat.gitbook.io/cylabs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://moharat.gitbook.io/cylabs/security-domains/application-security/web-application-security/insecure-direct-object-reference-idor.md). # Insecure Direct Object Reference (IDOR) **IDOR (Insecure Direct Object Reference)** is a security vulnerability that occurs when an application provides direct access to objects or data based on user-supplied input, such as input from a URL or form parameter, without proper authorization checks. In other words, an attacker can manipulate these references to access unauthorized data or objects. Here's an explanation of IDOR with examples: **Example 1 - Unauthorized File Access:** Suppose a web application allows users to view their profile pictures by navigating to a URL like `https://example.com/profile?username=johndoe`. In this case, the `username` parameter is used to retrieve the profile picture associated with the provided username. If the application doesn't perform proper authorization checks, an attacker could change the `username` parameter to access other users' profile pictures. For example, by changing the URL to `https://example.com/profile?username=malicioususer`, the attacker may access the profile picture of a user they are not authorized to view. **Example 2 - Viewing Other Users' Data:** Consider a banking application where users can view their account details by logging in and navigating to their account page. The URL might look like `https://bankapp.com/account?account_id=12345`. If the application doesn't properly validate the user's session or authorization, an attacker could manipulate the `account_id` parameter to access other users' account details. By changing the URL to `https://bankapp.com/account?account_id=67890`, the attacker may view someone else's account information. **Example 3 - Editing Other Users' Records:** In a web-based content management system (CMS), users with proper authorization can edit their articles by visiting a URL like `https://cmsapp.com/edit?article_id=123`. If the application fails to check if the user has permission to edit the specified article, an attacker could modify the `article_id` parameter to edit articles that belong to other users. By changing the URL to `https://cmsapp.com/edit?article_id=456`, the attacker may edit someone else's article. To prevent IDOR vulnerabilities, developers should implement strong access controls and ensure that users can only access or manipulate objects and data for which they have legitimate permissions. Access should be determined on the server side, and the application should validate the user's identity, session, and authorization before granting access to any resource. Additionally, developers should avoid using user-supplied input as the sole means of referencing objects or data without proper checks and validation. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://moharat.gitbook.io/cylabs/security-domains/application-security/web-application-security/insecure-direct-object-reference-idor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.