Skip to content


On Insecure Direct Object References (IDOR)

[Work in Progress]

Questions to take note about the application:

How does the application identify the user?
We want to know how the user is being identified by the application server. Such information may be found in cookies, request url, etc. Example of information to take note includes user_id, id, account_id, etc. There might also be cases where the user is identified only by session id. Sometimes the information is encoded and store as tokens. Sometimes developers might try to fool the users by encrypting their usernames and then use it as an identifier.

What are the data objects can be retrieved and the actions that the user can perform?
We need to know what are the data that are being retrieved by the users and observe the method that is used. Also we want to see what kind of actions can be performed by the different user roles so that we test if the privileges can be escalated.

Where can I find IDORs?

  • Look at API documents of the applications and see if any id is used.
  • Look at applications that process many documents such as images, files, etc that can be retrieved by the user in the future.


  • OWASP Juice Shop – View another user’s shopping basket.

Useful Resources:

Disclosure Reports