π IDOR (Access Control) Vulnerability π
Imagine a hotel with hundreds of rooms. Each guest is given a keycard with a room number printed on it β say, Room 204.
But rather than checking who the guest is, the hotel lets anyone open any room as long as they know the room number, not a great system!
So if a guest figures out that Room 203 or Room 205 exists and tries those numbers, the doors open β even though theyβre not supposed to be in those rooms.
The room numbers are like object identifiers (e.g., user IDs, file IDs, invoice numbers) in a web application.
The keycard system is supposed to enforce access control, but it doesn’t actually verify whether you should access that room β it just sees that you asked for it.
So if a user manually changes a URL.
from:
https:/ /site.com/invoice/204
to:
https:/ /site.com/invoice/205
And gains access to someone elseβs invoice, thatβs IDOR in action β slipping into the wrong hotel room because no one is checking who you are.
