Nov 11, 2025 – Jeremy Snyder – IDOR Attacks: Common And Deadly
IDOR attacks, or Insecure Direct Object Reference (IDOR) attacks, are one of the most common and costly forms of API breach. In an IDOR attack, hackers directly reference internal objects in a web application that uses APIs1.
IDOR attacks specific to APIs consist of 3 primary types of breaches:
1. BOLA (Broken Object Level Authorization)
2. BOPLA (Broken Object Property Level Authorization) attacks.
The former uses a user ID while the latter a specific property of the ID (i.e.: their email address) to force unauthorized access.
3. BFLA (Broken Functional Level Authorization)
These attacks all manipulate parameters within an API endpoint’s user or object ID (or similar), which can be as simple as changing numbers in a URL, to exchange the ID in the API call with another data record, like another user ID.
Since applications should have authentication in place, bad actors need a valid user account to get in. Once inside, they exploit authorization vulnerabilities in application / business logic to access data and resources.
A basic overview of how IDOR attacks work.
The Rise of IDOR Attacks
At the end of July, a joint advisory from the Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) stated that IDOR/BOLA attacks are a key issue companies need to address2.
The updated OWASP API Top Ten for this year added broken authorization checks to its list due to the rising urgency of these kinds of attacks. This rapid rise in IDOR attacks can also be observed in FireTail’s Data Breach Tracker over the past 12 years3.
Based on these trends, IDOR vulnerabilities are rapidly becoming one of the most important parts of API security.
The advisory highlights the importance of implementing best practices for security-by-design principles in applications, such as secure coding practices, to protect against these attacks.
An API security strategy must contain multiple layers, including API discovery and visibility, security policy assessment, runtime protection and a centralized audit trail to track API events and breaches continuously.
Strong authorization checks are top priority in preventing IDOR vulnerabilities.
Overall, developers must be educated on IDOR/BOLA attacks, so they can keep up wit
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: