Access Control Checked by Vezraa
Insecure Direct Object Reference (IDOR)
A vulnerability where users can access other users' data by changing an ID parameter.
IDOR occurs when APIs trust user-supplied IDs without verifying ownership. Simply changing /api/invoices/123 to /api/invoices/124 should not return another user's data. Fix by always checking resource ownership server-side.