← vuln-lab catalog

IDOR — insecure direct object reference

/api/users/:id returns any user's full record — email, role, SSN, API key — with no ownership or authorization check. Just increment the id to walk every account.

(loading…)

Trigger: /api/users/2, /api/users/3 — leaks other users' ssn / apiKey.

Detected by: browser_cdp_idor_fuzz