IDOR is a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. This happens when an application provides direct access to objects based on the user's input. If the application does not properly verify the user's authorization to access this object, attackers could manipulate references to access unauthorized data.
For example, consider a simple online banking application where each user has a unique ID and can view their bank account details via a URL like this:
<https://www.examplebank.com/account?userid=12345>
In this case, 12345 is the unique ID for a specific user. When this user is logged in, they can access their account details using this URL.
Now, suppose there is an attacker who also has an account with the bank, and their userid is 67890. They can view their account details at:
<https://www.examplebank.com/account?userid=67890>
f this banking application is vulnerable to IDOR, the attacker might change the userid parameter in the URL from 67890 to 12345. If the application does not properly check if the logged-in user (the attacker in this case) is authorized to access the account details of user 12345, the attacker would be able to access and possibly modify the account details of user 12345.
<https://www.examplebank.com/account?userid=12345>