During a web assessment, you request the endpoint /api/users/634 and receive a JSON document containing that customer's profile. Changing the URI to /api/users/635 returns another user's record even though you are still logged in as the original user. Which specific web-application threat does this behavior demonstrate?
The situation reveals an Insecure Direct Object Reference (IDOR). The application exposes internal object identifiers (user IDs) in the request and fails to enforce proper authorization when those identifiers are modified. As a result, any authenticated user can directly reference and obtain resources that belong to other users. Cross-Site Request Forgery relies on tricking a victim's browser to send unwanted requests, not on manipulating identifiers. Cross-Site Scripting injects executable code into pages, and Server-Side Request Forgery makes the server initiate unintended outbound requests. None of those threats by themselves allow a user to simply change an ID in the URL to retrieve another customer's data without bypassing access controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Insecure Direct Object Reference (IDOR)?
Open an interactive chat with Bash
How can developers prevent IDOR vulnerabilities?
Open an interactive chat with Bash
What tools can be used to detect IDOR vulnerabilities during web assessments?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .