Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security.
For example, if the request URL sent to a web site directly uses an easily enumerated unique identifier (such as http://foo.com/doc/1234), that can provide an exploit for unintended access to all records.
A directory traversal attack is considered a special case of an IDOR.
[3] In November 2020, the firm Silent Breach identified an IDOR vulnerability with the United States Department of Defense web site and privately reported it via the DOD's Vulnerability Disclosure Program.
The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first.