Skip to content

How to Fix Insecure Direct Object Reference (IDOR) Vulnerabilities

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Insecure Direct Object Reference (IDOR) Vulnerabilities. We cover key concepts, practical examples, and best practices.

Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application exposes direct references to internal objects (database IDs, file paths) and does not verify the user's authorization to access those objects.

Quick Fix

Wrong

app.get("/api/user/:id", [](Request& req, Response& res) {
    int userId = std::stoi(req.param("id"));
    User user = db.query("SELECT * FROM users WHERE id = ?", userId);
    res.json(user);
});

Authenticated user can access any user's data by changing the id parameter.

app.get("/api/user/:id", [](Request& req, Response& res) {
    int requestedId = std::stoi(req.param("id"));
    int sessionUserId = req.session.userId;

    if (requestedId != sessionUserId && !req.session.isAdmin) {
        res.status(403).send("Access denied");
        return;
    }
    User user = db.query("SELECT * FROM users WHERE id = ?", requestedId);
    res.json(user);
});

Fix with UUIDs

// Use UUIDs instead of sequential IDs
app.get("/api/user/:uuid", [](Request& req, Response& res) {
    std::string uuid = req.param("uuid");
    if (!ownsResource(req.session, uuid)) {
        res.status(403).send("Access denied");
        return;
    }
    // ...
});

Fix with ownership check (generic)

bool userOwnsResource(int userId, const std::string& resourceType,
                      int resourceId) {
    auto result = db.query(
        "SELECT owner_id FROM " + resourceType +
        " WHERE id = ?", resourceId);
    return !result.empty() && result[0]["owner_id"] == userId;
}

Prevention

  • Never trust user-supplied IDs without authorization checks.
  • Use indirect references (UUIDs, random tokens) instead of sequential IDs.
  • Implement access control checks for every object access.
  • Use server-side sessions to track the current user's identity.
  • Test authorization with automated scripts that try alternate IDs.

DodaTech Tools

Doda Browser's security scanner tests each API endpoint with different user IDs and tokens to detect IDOR vulnerabilities. DodaZIP archives access control lists for audits. Durga Antivirus Pro detects unauthorized object access patterns.

Common Mistakes with direct object

  1. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  2. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  3. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks

These mistakes appear frequently in real-world INSECURE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is the difference between IDOR and broken access control?

IDOR is a specific type of broken access control where direct object references are exposed. Broken access control is the broader category including missing role checks, path traversal, and privilege escalation.

Does using UUIDs instead of sequential IDs prevent IDOR?

UUIDs make IDs harder to guess but do not prevent IDOR. Authorization checks are still required. An attacker who discovers another user's UUID can still access their data without proper checks.

How do I test for IDOR vulnerabilities?

Authenticate as user A, note the resource ID, then try accessing the same resource as user B. Automated scanners can systematically enumerate IDs and check access.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro