Definition
IDOR
Insecure Direct Object Reference — a vulnerability where changing an ID in a URL or request exposes another user's data.
IDOR is one of the most common security vulnerabilities in web applications, ranked in the OWASP Top 10. It occurs when an application exposes internal object references (like database IDs) in URLs or API calls without verifying that the requesting user is authorized to access that object. For example, if changing /api/invoices/123 to /api/invoices/124 shows another user's invoice, that's an IDOR vulnerability. AI-generated code frequently contains IDOR vulnerabilities because AI tools focus on making features work rather than implementing authorization checks.
Related Article
The Vibecoding Trap: When Your AI-Built Product Becomes a Liability
Read on our blog →
Related Terms
Questions about your tech stack?
We'll give you an honest assessment of where your product stands — no sales pitch.