Insecure Direct Object Reference
An Insecure Direct Object Reference happens when an application exposes an identifier, like a record number in a URL, and fails to check whether the requester is authorized to access it. An attacker simply changes the identifier to view or modify someone else's data. IDOR is one of the most common causes of large-scale data exposure in web and mobile APIs.