Broken Access Control & IDOR
When the app forgets to check who you are — the #1 category on the OWASP Top 10.
9 min read
Broken access control is the most common — and often highest-impact — web vulnerability class. The app authenticates *who you are* but fails to enforce *what you’re allowed to do or see*.
IDOR: the everyday version
An Insecure Direct Object Reference is when you can change an identifier in a request and access something that isn’t yours.
GET /api/invoices/1043 ← your invoice
GET /api/invoices/1044 ← someone else’s, served without a check- Horizontal — access another *user’s* data at the same privilege level (other people’s invoices, messages, orders).
- Vertical — escalate privilege: a normal user hitting an admin-only endpoint that never checks the role.
IDOR is consistently one of the best effort-to-reward bugs in bounty programs — no exploit chain, just a missing authorization check. Test it everywhere there’s an ID.
How to find it
- Make two accounts. Do an action as user A, then replay the request with user B’s session — does it work?
- Increment/decrement numeric IDs; swap UUIDs and usernames.
- Force-browse to admin paths (
/admin,/api/internal/*) as a low-priv user. - Watch for IDs in *responses* you can then reuse in *requests*.
The fix
Enforce authorization server-side, on every request, with object-level ownership checks (“does this record belong to the caller?”). Deny by default. Never rely on the client hiding a button.