Skip to content

Insecure Direct Object Reference

Insecure Direct Object Reference


A direct object reference occurs when an Application exposes a direct reference to an internal object without proper authorization.

This class of vulnerability results in an insecure direct, which may result in access to sensitive data and authorization bypass.


There are multiple ways to prevent Indirect Object Reference vulnerabilities:

  1. Perform proper access control checks.
  2. Use indirect reference using the user\'s session or account.


  • CWE_TOP_25:
    • CWE_862
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_6_4
    • REQ_7_3
    • REQ_11_3