LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you prevent IDOR vulnerabilities in a REST API?

Always verify ownership/authorization at the data layer — never trust the resource ID alone.

Vulnerable pattern (trusts the ID):

// Anyone can access any account by changing the ID!
@GetMapping("/accounts/{id}")
public Account getAccount(@PathVariable Long id) {
    return accountRepository.findById(id);
}

Secure pattern (ownership check):

@GetMapping("/accounts/{id}")
public Account getAccount(@PathVariable Long id, Authentication auth) {
    Account account = accountRepository.findById(id);
    if (!account.getOwnerId().equals(auth.getUserId())) {
        throw new AccessDeniedException("Not your account");
    }
    return account;
}

Even better (query-level enforcement):

@GetMapping("/accounts/{id}")
public Account getAccount(@PathVariable Long id, Authentication auth) {
    // Only returns account if user owns it — no separate check needed
    return accountRepository.findByIdAndOwnerId(id, auth.getUserId())
        .orElseThrow(() -> new NotFoundException());
}

Key principle: Don't just check "is the user authenticated?" — check "does this user have access to THIS specific resource?"

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026