Insecure Direct Object Reference

The application is vulnerable to an insecure direct object reference. The application makes a reference to an internal object such as a file or database key, which is exposed to users without proper access control. An attacker can manipulate the object reference in order to bypass access controls and obtain access to unauthorized resources.


An attacker can manipulate the reference values for an object to bypass authorization rules in order to access sensitive data. In many cases, an attacker can iterate through reference values to access all the data associated with the object.

Risk Rating


How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database


Leave a Reply