BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. IDOR
Bug Bounty

IDORInsecure Direct Object Reference

Definition

Access control vulnerability: the server exposes guessable or predictable IDs and doesn't validate that the requester is authorised to access that resource.

The most-hunted bug class for beginners — and for experts on large programs. Pattern: `GET /api/invoices/123` returns your invoice, change to `/api/invoices/124` and you get the next user's. No 403, no auth check.

Variants: horizontal IDOR (peer-to-peer), vertical (escalation to admin), write-side (PUT/DELETE on others' resources), predictable-UUID (UUIDv1 with MAC + timestamp, base64 IDs leaking info).

Defence: check ownership on EVERY resource endpoint, not in the frontend. Automated tests that change the ID and expect 403. ORM with per-user scoping (Rails default_scope + current_user, Django get_object_or_404 with filter). UUIDv4 random minimum (not v1).

Related terms

  • XSS
  • SQLi
  • SSRF

Latest articles on Bug Bounty

  • →Repo jacking on bundler.io: open supply chain attack
  • →Jacob Butler arrested for running Kimwolf botnet
  • →KimWolf botnet admin charged: 2M devices, US-Canada joint op

Interested in Bug Bounty?

Get one technical story a day on bug bounty — curated, summarised, actionable.

Subscribe
BBLabs NewsBBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad, vulnerabilidades, IA y bug bounty. Para gente que se toma en serio no perder el tiempo.

Conecta

Comunidad

  • Discord BBLabsÚnete a la comunidad
  • Discord Bug Bounty EspañaComunidad BB Es

Síguenos

  • YouTube · 0xGorkaCyber, hacking y bug bounty
  • Instagram · @bblabs.esLo último del proyecto

Contacto

team@bblabs.esEscríbenos para lo que sea

Para feedback, partnerships o reportar un bug en la web. Respondemos rápido.

Acerca de·Temas·Glosario·RSS·Privacidad·Términos
© 2026 BBLabs News·Por Gorka El Bochi
Hecho en España