HIGHCWE-639Access Control
IDOR — Insecure Direct Object Reference
Description
API endpoints accept user-supplied IDs without verifying ownership, allowing users to access other users' resources by changing an ID parameter.
How Vezraa Detects It
We crawl your API patterns, identify ID parameters, and test if changing them returns data belonging to different users.
Real-World Impact
Users can read, modify, or delete other users' private data — invoices, messages, profiles, documents.
Fix Example
// BAD — no ownership check
app.get('/api/invoices/:id', async (req, res) => {
const invoice = await db.findInvoice(req.params.id);
res.json(invoice);
});
// GOOD — verify ownership
app.get('/api/invoices/:id', async (req, res) => {
const invoice = await db.findInvoice(req.params.id);
if (invoice.userId !== req.session.userId) return res.status(403);
res.json(invoice);
});Affected Stacks
Next.jsExpressREST APIs