1 article with this tag
IDOR lets a user change ?id=124 to 125 and read someone else's invoice or personal data — broken access control. The real defense: server-side, check on every access whether the logged-in user is allowed this object. Hard-to-guess IDs are not a fix.