# Insecure Direct Object Reference (IDOR)

- ID: javascript-idor
- Severity: HIGH
- CWE: Authorization Bypass Through User-Controlled Key (CWE-639)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, koa, hapi, nestjs

## Description

Detects when user-controlled input (from URL parameters, query strings, or request body)
is used directly to access database records without verifying that the authenticated
user has permission to access that specific resource.

IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging
to other users by manipulating identifiers in requests.

## Detection Message

User-controlled ID from {source} is used directly to access resource at {sink}
without verifying the authenticated user owns or has permission to access it.

## Remediation

Include userId in queries to verify resource ownership before access.

```javascript
const order = await Order.findOne({
  where: { id: req.params.id, userId: req.user.id }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/idor

## Documentation

[object Object]

## Related Rules

- **Horizontal Privilege Escalation** [HIGH]: 
- **Insecure Direct Object Reference (IDOR)** [HIGH]: 
- **Potential IDOR - Generic Data Access** [MEDIUM]: 
- **Horizontal Privilege Escalation** [CRITICAL]: 
- **Potential IDOR - Generic Data Access** [MEDIUM]: