FinishKitIDOR
Insecure Direct Object Reference, a class of vulnerability where changing a resource id in a URL or request gives access to someone else's data.
What is an IDOR?
Insecure Direct Object Reference is the "change the number in the URL and see someone else's stuff" bug. Hit /invoices/123 as your invoice, change it to /invoices/124, and you are looking at another user's billing.
Technically it is a subset of auth bypass, but it gets its own name because it is so common and so easy to exploit.
Why AI tools generate IDOR bugs
Prompt-to-app builders often scaffold CRUD endpoints that look like:
// GET /api/invoices/:id
const invoice = await db.invoices.findById(params.id)
return Response.json(invoice)There is no check that req.user.id equals invoice.ownerId. Any logged-in user can request any invoice.
How to fix
Three options, from weakest to strongest:
- App-level check: verify ownership in the handler before returning.
- Scoped query:
findOne({ id: params.id, ownerId: req.user.id }). Returns nothing if mismatched. - Database-level policy: enable row level security so the database itself filters by
auth.uid() = owner_id.
Options 2 and 3 are preferred because they cannot be accidentally bypassed by a new endpoint.