Overview
- Bug Type:
- IDOR (broken object level auth)
- Category:
- Security
Definition
Object IDs can be tampered with to access/modify resources without proper authorization checks.
How to fix IDOR (broken object level auth)?
Enforce object-level authorization on every read/write; use opaque, non-guessable IDs; add tenancy checks; cover with authorization tests
Symptoms
Observable signs that may indicate IDOR (broken object level auth):
- Changing an ID in URL/body returns another user’s resource.
- Authorization passes for resource A but not enforced for resource B of same type.
- Audit logs show cross-tenant or cross-user reads/writes.
Example Errors:
- None (often silent) — incorrect data returned
- 403 only on some endpoints; others improperly allow access
- Audit: user X accessed object belonging to user Y