Quiz Entry - updated: 2026.07.05
What is Broken Access Control and what are IDOR and Path Traversal attacks?
Broken Access Control = a user reaching data/actions they shouldn't. IDOR is tampering with an object ID (e.g. ?accountId=1234→1235) to reach another user's object; path traversal is using ../ to climb out of an allowed directory into a forbidden one.
* IDOR: without an ownership check, incrementing the id leaks another user's record; adding AND owner_id = current user denies it. *
Insecure Direct Object Reference (IDOR):
- Application uses user-supplied input to access objects directly
- Example:
https://example-bank.com/account/details?accountId=1234 - Attack: Change
1234to1235to access another user's account
Vulnerable code (no ownership check):
String query = "SELECT * FROM accts WHERE account = ?";
pstmt.setString(1, request.getParameter("acct"));
// No check if user owns this account!
Fixed code (ownership enforced):
String query = "SELECT * FROM accts WHERE account = ? AND owner_id = ?";
pstmt.setString(1, request.getParameter("acct"));
pstmt.setString(2, currentUser.getId()); // Only return if user owns it
Path Traversal:
- MANAGER can access
/managers/*, USER only/users/* - Attack: USER requests
/users/../managers/salaries.xhtml - The
../navigates up one directory, bypassing the path-based access control - Result: Unauthorized access to manager resources
Go deeper:
PortSwigger — Insecure direct object references (IDOR) — labs on database-reference and static-file IDOR variants.