Quiz Entry - updated: 2026.07.14
How do you prevent IDOR vulnerabilities in a REST API?
Always verify ownership/authorization at the data layer — never trust the resource ID alone.
Vulnerable pattern (trusts the ID):
// Anyone can access any account by changing the ID!
@GetMapping("/accounts/{id}")
public Account getAccount(@PathVariable Long id) {
return accountRepository.findById(id);
}
Secure pattern (ownership check):
@GetMapping("/accounts/{id}")
public Account getAccount(@PathVariable Long id, Authentication auth) {
Account account = accountRepository.findById(id);
if (!account.getOwnerId().equals(auth.getUserId())) {
throw new AccessDeniedException("Not your account");
}
return account;
}
Even better (query-level enforcement):
@GetMapping("/accounts/{id}")
public Account getAccount(@PathVariable Long id, Authentication auth) {
// Only returns account if user owns it — no separate check needed
return accountRepository.findByIdAndOwnerId(id, auth.getUserId())
.orElseThrow(() -> new NotFoundException());
}
Key principle: Don't just check "is the user authenticated?" — check "does this user have access to THIS specific resource?"