Expert insights on AI-powered coding security, vibe-based development practices, and protecting AI-generated web applications from vulnerabilities.

· · 2 min read

What Is IDOR (Insecure Direct Object Reference)?

IDOR security access control authorization
Insecure Direct Object Reference (IDOR) : A type of access control vulnerability where an application exposes internal implementation objects (database IDs, file names, keys) to users without verifying that the requesting user is authorized to access the referenced object. Attackers modify these references to access resources belonging to other users.

Why It Matters for AI-Coded Apps

AI code generators almost never implement authorization checks on individual resources. They generate CRUD endpoints that fetch data by ID without verifying ownership. In our scans, 67% of vibe-coded apps with user-specific data had at least one IDOR vulnerability. This is the easiest attack to execute – just change a number in the URL.

Real-World Example

An API endpoint GET /api/invoices/1234 returns invoice data. The application checks that the user is authenticated but never checks if invoice 1234 belongs to them. An attacker iterates through IDs (/api/invoices/1235, /api/invoices/1236…) to download every user’s invoices.

How to Detect and Prevent It

Always verify resource ownership in your API handlers: check that the requested resource belongs to the authenticated user. Use UUIDs instead of sequential integers to make enumeration harder (but this is not a security fix, just defense-in-depth). Implement row-level security in your database. Add authorization middleware that checks ownership on every request.

Frequently Asked Questions

Is using UUIDs instead of integer IDs enough to prevent IDOR?

No. UUIDs make enumeration harder but are not a security control. If a UUID is leaked (in URLs, logs, emails, or API responses), the vulnerability is identical. Always implement proper authorization checks regardless of ID format.

How do I test for IDOR?

Log in as User A and note resource IDs. Log in as User B and try to access User A’s resources using those IDs. Automate this with tools like Burp Suite’s Authorize extension, which replays requests with different session tokens.

What is the difference between IDOR and broken access control?

IDOR is a specific type of broken access control. Broken access control is the broader category that includes missing authentication, privilege escalation, and IDOR. IDOR specifically refers to manipulating object references (IDs) to access unauthorized resources.

Scan your app for security issues automatically

Vibe Eval checks for 200+ vulnerabilities in AI-generated code.

Try Vibe Eval

AI Coding Security Insights.
Ship Vibe-Coded Apps Safely.

Effortlessly test and evaluate web application security using Vibe Eval agents.

GET STARTED GET A DEMO