Broken Access Control moved to the #1 spot on the OWASP Top 10 list in 2021. It's simple, devastating, and automated scanners often miss it because it requires logic, not crashing. IDOR is a specific type of Broken Access Control.
The Scenario
1. You log in as User A.
2. You check your profile. The URL is:
https://api.example.com/users/1001/billing
3. You change `1001` to `1002` in the address bar.
4. Vulnerability: The server returns User B's credit card info.
5. Why? The server checked "Is the user logged in?", but forgot to check "Is the user AUTHORIZED to see object 1002?".
1. Horizontal vs Vertical Escalation
Horizontal: Accessing data of another user with the same privilege level (Peer-to-Peer).
Example: Reading another user's DMs.
Vertical: Accessing data of a user with higher privileges (Privilege Escalation).
Example: A regular user accessing `/admin/deleteUser?id=5`.
2. Prevention: The Object Owner Check
In your code (Controller level), you must explicitly check ownership.
Bad Code:
return database.find(request.id);
Good Code:
doc = database.find(request.id);
if (doc.ownerID != session.userID) throw ForbiddenException();
return doc;
3. UUIDs help, but don't fix it
Using predictable IDs (1, 2, 3...) makes IDOR easy.
Using UUIDs (a0eebc99-...) prevents guessing, but if the UUID leaks (e.g., in a shared URL), the vulnerability still exists.
Security through obscurity is not security. Proper access control checks are mandatory.