惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
V
V2EX
WordPress大学
WordPress大学
博客园 - Franky
Last Week in AI
Last Week in AI
博客园 - 司徒正美
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 【当耐特】
V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
人人都是产品经理
人人都是产品经理
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
A
Arctic Wolf
量子位
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
雷峰网
雷峰网
博客园_首页
Google Online Security Blog
Google Online Security Blog
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Hacker News: Front Page
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
TaoSecurity Blog
TaoSecurity Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
IT之家
IT之家
The Cloudflare Blog
爱范儿
爱范儿
博客园 - 叶小钗
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
IDOR Vulnerabilities Explained: Why They Persist in Modern Applications
Sooraj Shah · 2026-01-02 · via Aikido Security's Blog

Insecure Direct Object References, commonly referred to as IDORs, remain one of the most common and damaging classes of application vulnerabilities. Despite being well documented and widely understood at a conceptual level, they continue to appear in real production systems, particularly in modern, API-driven applications.

An IDOR vulnerability occurs when an application uses a user-supplied identifier to access an internal object without verifying that the current user is authorized to access that specific object. This issue sits within the broader category of broken access control, but it is distinct in how it manifests and why it is difficult to eliminate completely.

IDORs persist not because teams are unaware of them, but because they emerge from how real systems evolve. They are often introduced at the edges of workflows, during refactors, or when ownership assumptions are reused across steps that were not originally designed to be connected. This article explains what IDORs look like in practice, why common security testing approaches struggle to detect them reliably, and how modern testing techniques validate ownership failures in running systems.

What Is an Insecure Direct Object Reference in Practice

An IDOR vulnerability occurs when an application accepts an identifier that references an internal object, such as a record, document, or account, and uses it directly without consistently enforcing authorization for that object.

Identifiers commonly appear as:

  • User IDs in URL paths
  • Order or invoice IDs in query parameters
  • Resource identifiers in request bodies

The vulnerability is not the identifier itself. The vulnerability is the assumption that the identifier belongs to the authenticated user, without revalidating that assumption on the server.

In modern applications, this assumption often holds in most places but not all. That inconsistency is where IDORs exist.

Why IDOR Vulnerabilities Are Especially Dangerous in APIs

In API security literature, IDORs are often referred to as Broken Object Level Authorization (BOLA), the top risk in the OWASP API Security Top 10. OWASP moved to the term BOLA to fit modern API design.

APIs expose core application functionality and data. When an IDOR exists in an API, attackers can often exploit it at scale.

Common impacts include:

  • Accessing sensitive data belonging to other users
  • Modifying or deleting resources owned by others
  • Bypassing business rules tied to ownership or role
  • Undermining workflows such as approvals, billing, or account management

Because APIs are designed for automation, a single missing ownership check can compromise large portions of a system.

Common Types of IDOR Vulnerabilities

IDOR is an umbrella term. In practice, teams encounter several recurring patterns:

  • Horizontal IDOR: A user accesses another user’s objects at the same privilege level
  • Vertical IDOR: Identifiers allow access to privileged or administrative objects
  • Blind IDOR: The response does not expose data, but the action succeeds on someone else’s object

Blind IDORs are especially easy to miss with tools that focus on obvious data exposure. They often require explicit validation to confirm impact.

How IDOR Vulnerabilities Are Traditionally Tested in Practice

During a penetration test, IDOR testing is typically performed through careful request replay and comparison.

In practice, this involves:

  • Authenticating as a legitimate user
  • Exercising workflows through the UI
  • Capturing requests sent by the browser or client
  • Replaying those requests with a different authenticated user
  • Comparing responses to see whether behavior changes

For example, if a request that should only return data for User A returns the same data when replayed as User B, this indicates broken access control.

This approach is effective and widely used. It relies on the tester’s understanding of application intent and their ability to reason about which requests are security-sensitive.

However, it is also inherently manual and time-consuming. Each additional workflow, role, or state transition multiplies the number of requests that need to be captured, replayed, and interpreted. As applications grow more complex, it becomes impractical to apply this comparison exhaustively across all possible paths.

This is why manual testing often finds IDORs in areas that receive close attention, but cannot guarantee comprehensive coverage.

Why DAST Tools Miss Real IDOR Vulnerabilities

Dynamic application security testing tools operate at the request level. They crawl endpoints, fuzz inputs, and look for anomalous responses. What they do not understand is intent. A scanner does not know whether a given invoice belongs to User A or User B. It does not reason about ownership, workflow context, or whether a response is appropriate for the authenticated identity. As long as the application responds cleanly, often with a 200 OK, a scanner may treat the interaction as successful even when sensitive data is exposed to the wrong user.

This makes DAST useful for surface-level issues, but fundamentally limited when it comes to IDORs and other authorization failures that depend on object ownership and context. This limitation is not specific to any one tool. It reflects the fact that request-level scanning, even when well implemented, does not have enough context to reason about object ownership and workflow intent.

Why Static Analysis Creates Noise Around IDORs

Many teams rely on static analysis tools to flag potential IDOR issues. These tools typically look for patterns where identifiers are passed into handlers or controllers without obvious authorization checks nearby.

This often produces a large number of findings.

In practice, most of these are false positives. Authorization checks frequently exist elsewhere in the call chain, in shared middleware, or at a framework level. Static analysis cannot reliably determine whether an identifier is exploitable at runtime.

This problem is amplified when authorization is implemented implicitly or distributed across layers, including:

  • Access control enforced by middleware or decorators
  • Checks implemented in shared services or model methods
  • Permission logic spread across multiple files and call paths

In these cases, static tools see an identifier and a data access path, but miss the full authorization context. The result is a high volume of plausible-looking findings with low confidence.

This is a fundamental limitation of static analysis. Without runtime state and identity context, no code-level analysis can reliably determine whether an object reference is exploitable in practice.

Even AI-assisted static analysis tools remain predictive. They reason about code structure, but cannot confirm runtime behavior. As a result, IDOR-like findings often carry false positive rates exceeding fifty percent, forcing teams to triage theoretical issues while real ownership failures risk being buried.

The Core Problem: Ownership Is Contextual

IDORs are not simply missing checks. They are failures of contextual authorization tied to object ownership.

Ownership is established through a combination of:

  • Authentication state
  • Role and permission models
  • Workflow progression
  • Server-side state created earlier in a process

If any part of that context is assumed rather than revalidated, an IDOR can emerge.

Some IDORs are second-order. An identifier is accepted in one step, stored, and only used later when access control is no longer checked. These issues are particularly difficult to detect because the exploit is separated across time and steps.

Testing IDORs reliably requires repeatedly asking a simple question: what happens if this identifier belongs to someone else?

UUIDs Do Not Prevent IDOR Vulnerabilities

It is a common misconception that switching from sequential identifiers to UUIDs eliminates IDOR risk.

Unpredictable identifiers reduce brute force attacks. They do not prevent unauthorized access if ownership checks are missing.

In real systems, attackers obtain identifiers through normal application behavior, including:

  • References returned by other endpoints
  • Shared links and URLs
  • In-app messages and notifications
  • Logs, exports, and browser history

If an attacker can obtain a valid identifier and the backend does not enforce ownership, an IDOR still exists.

How AI Pentesting Finds IDOR Vulnerabilities Others Miss

AI pentesting takes a different approach to identifying authorization failures.

Rather than stopping at detection, it actively tests hypotheses about ownership and access control in a running application.

Within Aikido, this approach is implemented through Aikido Attack, autonomous penetration testing that matches human creativity with machine speed. It is designed to evaluate authorization and ownership failures in real environments. Aikido Attack operates using real identities, exercises workflows end to end, and validates exploitability before reporting findings.

For IDORs, this process involves:

  • Authenticating as real users
  • Exercising full workflows end to end
  • Reusing object identifiers across roles and contexts
  • Attempting to access or modify resources owned by other users
  • Validating whether the behavior is exploitable and reproducible

Only issues that can be exploited in practice are reported. The rest are discarded automatically.

This reduces false positives and ensures that reported findings represent real authorization failures. In situations where intent is unclear, a human tester would typically need to consult with the application owner. Runtime validation resolves this directly.

Focused Testing of Ownership Assumptions

AI pentesting allocates dedicated effort to evaluating ownership assumptions tied to object identifiers across an application.

Rather than treating IDORs as a side effect of generic testing, it explicitly focuses on:

  • Identifiers bound to user-owned resources
  • Workflow transitions that reuse object references
  • Backend endpoints that rely on frontend ownership assumptions

This ensures consistent coverage of the parts of a system where IDORs actually occur.

Example: IDOR in a Multi-Step Approval Workflow

This example illustrates how an IDOR can emerge across multiple workflow steps even when individual endpoints appear to enforce access control correctly.

Application Context

The application includes a multi-step approval workflow for sensitive actions. A user creates a request that must later be reviewed and approved. Each request is tied to the user who created it and is referenced by an identifier used across multiple API calls.

Only the owner of a request is intended to view or modify it prior to approval.

What the System Observed

AI pentesting authenticated as a standard user and exercised the request creation flow. During this process, the system stored intermediate workflow state on the server and reused it across later steps.

Initial ownership checks were correctly enforced when the request was created.

Ownership Testing Across the Workflow

Further testing evaluated how the request identifier was used in later stages. It observed that:

  • The identifier was reused when resuming a pending request
  • Later API calls assumed ownership based on earlier validation
  • Ownership was not revalidated when the workflow was resumed

By replaying the resume action with a different authenticated user and substituting the request identifier, the system was able to access and act on a request it did not own.

Why This Was an IDOR Vulnerability

The issue did not originate from a single missing check.

It resulted from an assumption that ownership had already been validated earlier in the workflow and did not need to be rechecked when the request was resumed. That assumption failed once object identifiers were reused across users.

Validation and Reproducibility

Before reporting the issue, the system:

  • Replayed the full sequence multiple times
  • Confirmed consistent behavior
  • Captured evidence of unauthorized access

Only after reproducibility and impact were confirmed was the issue reported.

Why This Would Be Missed by Other Approaches

Each individual endpoint behaved correctly in isolation. The vulnerability only emerged when:

  • A workflow was partially completed
  • Server-side state was reused
  • A later step was invoked outside the original user context

This made the issue difficult to detect through manual testing and invisible to request-based scanning tools.

Why Continuous Testing Matters for IDOR Vulnerabilities

IDORs are often introduced by change.

They commonly appear when:

  • New features reuse existing data models
  • Authorization logic is added in one place but not another
  • Refactors unintentionally bypass earlier ownership checks

A point-in-time test may confirm that ownership is enforced today, but that assurance degrades as the application evolves.

Continuous AI-driven testing maintains confidence by re-evaluating ownership assumptions as software changes. Continuous pentesting tools support this by continuously testing new and modified workflows for unauthorized object access.

IDOR Vulnerabilities as a Symptom of System Complexity

IDORs are not edge cases. They are a natural outcome of complex systems evolving over time.

As applications grow, ownership logic spreads across services, workflows, and layers. Assumptions accumulate, and reasoning about object-level access becomes increasingly difficult.

AI pentesting does not remove this complexity, but it makes it testable.

By systematically exercising workflows, tracking state, and validating ownership in context, it turns one of the most persistent vulnerability classes into something that can be detected earlier, more consistently, and with greater confidence.

Security teams increasingly prioritize IDORs and other authorization failures because they are system-specific, regression-prone, and difficult to validate without workflow-aware, runtime testing.

You may also like:

Get a pentest done today wth Aikido Attack.