midWeb Security

What is insecure direct object reference (IDOR)?

Updated May 6, 2026

Short answer

IDOR occurs when users can access unauthorized objects via predictable IDs.

Deep explanation

Lack of access control allows attackers to modify object identifiers and access others' data.

Real-world example

Viewing another user's invoice.

Common mistakes

  • Relying only on frontend restrictions.

Follow-up questions

  • How to fix IDOR?
  • Why is it common?

More Web Security interview questions

View all →