Skip to content
← Back to Vulnerability Database
HIGHCWE-639Access Control

IDOR — Insecure Direct Object Reference

Description

API endpoints accept user-supplied IDs without verifying ownership, allowing users to access other users' resources by changing an ID parameter.

How Vezraa Detects It

We crawl your API patterns, identify ID parameters, and test if changing them returns data belonging to different users.

Real-World Impact

Users can read, modify, or delete other users' private data — invoices, messages, profiles, documents.

Fix Example

// BAD — no ownership check
app.get('/api/invoices/:id', async (req, res) => {
  const invoice = await db.findInvoice(req.params.id);
  res.json(invoice);
});

// GOOD — verify ownership
app.get('/api/invoices/:id', async (req, res) => {
  const invoice = await db.findInvoice(req.params.id);
  if (invoice.userId !== req.session.userId) return res.status(403);
  res.json(invoice);
});

Affected Stacks

Next.jsExpressREST APIs

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

IDOR — Insecure Direct Object Reference — Vulnerability Database | Vezraa