INSECURE DIRECT OBJECT REFERENCE / IDOR
defined.

What is Insecure Direct Object Reference (IDOR)?

IDOR is the original term for what the API Top 10 now calls BOLA. The bug is identical: the application uses predictable identifiers, exposes them in URLs or request bodies, and fails to confirm the caller is authorized to access that specific identifier.

Classic example: /api/invoices/1042 — changing the ID to 1043 returns another customer’s invoice. Sequential integers make it trivial; UUIDs help but don’t fix the underlying authorization gap.

Related terms.

• Broken Object Level Authorization (BOLA)
• Broken Function Level Authorization (BFLA)
• Server-Side Request Forgery (SSRF)
• SQL Injection

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.