What is IDOR?
Imagine you're logged into an app and viewing your profile at /api/users/42. You change the 42 to 43 and suddenly you can see someone else's data. That's IDOR.
The application trusts the ID in the request without verifying that you own it. The server fetches the row, the file, or the resource — and hands it over to whoever asks.
IDOR is technically a subset of Broken Access Control (CWE-284), but it's so common that it has its own classification: CWE-639. In the OWASP Top 10, Broken Access Control has been the #1 web application vulnerability category since 2021.
How does IDOR work?
An IDOR bug requires two things: a reference to an internal object that the user can control (usually an ID in a URL, query parameter, or request body), and a missing authorization check on the server side.
Here's a typical vulnerable API route in a Next.js app:
// app/api/invoices/[id]/route.ts
export async function GET(req, { params }) {
const invoice = await db.invoice.findUnique({
where: { id: params.id },
});
// Problem: no check that this invoice belongs
// to the requesting user.
return Response.json(invoice);
}// app/api/invoices/[id]/route.ts
export async function GET(req, { params }) {
const session = await getSession(req);
const invoice = await db.invoice.findUnique({
where: {
id: params.id,
userId: session.user.id, // ownership check
},
});
if (!invoice) {
return Response.json({ error: "Not found" }, { status: 404 });
}
return Response.json(invoice);
}Why do AI tools generate IDOR vulnerabilities?
AI code generators are optimized for getting things working. When you ask for a CRUD API, the model generates routes that create, read, update, and delete records — and those routes work perfectly for a single user. The problem is that they rarely add per-user authorization.
- Prompts focus on features, not security. "Build an invoice API" doesn't mention access control. The model delivers exactly what was asked for.
- Training data includes vulnerable patterns. Many tutorials and Stack Overflow answers skip authorization checks for brevity. The model learned from them.
- Authorization is context-dependent. The model can't know your app's ownership rules unless you tell it. It doesn't know that invoices belong to specific users.
According to Veracode's 2025 research, 45% of AI-generated code contains security flaws. IDOR is one of the most common categories because it requires understanding the relationship between users and data — something code generators consistently miss.
Common IDOR patterns
Sequential IDs in URLs
/api/orders/1001, /api/orders/1002 — easy to enumerate.
Body parameter manipulation
Changing { "userId": 42 } to { "userId": 43 } in a POST request.
File path references
/uploads/user-42/receipt.pdf — change the folder name.
GraphQL node queries
query { node(id: "base64-encoded-id") { ... } } with no auth.
How Flowpatrol detects IDOR
Flowpatrol doesn't just check for headers or run a CVE database lookup. It actually tests your app's access control the way a real attacker would:
- 1Creates multiple test users and logs in with separate sessions.
- 2Discovers data endpoints by crawling the app and observing API calls.
- 3Cross-tests access — tries to read User A's data using User B's session.
- 4Reports the finding with the exact request, the leaked data, and a copy-paste fix.
This is the kind of testing that traditional scanners skip entirely. They check for known CVEs. Flowpatrol checks your app's actual business logic.
Related terms
Check your app for IDOR.
Flowpatrol tests your access controls with real multi-user sessions. Five minutes. One URL.
Try it free