# Insecure Direct Object References > Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP ## Summary * [Tools](#tools) * [Labs](#labs) * [Exploit](#exploit) * [Numeric Value Parameter](#numeric-value-parameter) * [Common Identifiers Parameter](#common-identifiers-parameter) * [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator) * [Hashed Parameter](#hashed-parameter) * [Wildcard Parameter](#wildcard-parameter) * [IDOR Tips](#idor-tips) * [References](#references) ## Tools - [PortSwigger/BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e) - [PortSwigger/BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e) - [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f) ## Labs - [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references) ## Exploit IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion. **Example of IDOR** Imagine a web application that allows users to view their profile by clicking a link `https://example.com/profile?user_id=123`: ```php