FixVibe

// probes / spotlight

IDOR / BOLA

If your API trusts the client to send the correct ID, the client can send any ID.

Il gancio

IDOR — Insecure Direct Object Reference, recently rebranded as Broken Object-Level Authorization (BOLA) in the OWASP API Top 10 — is the single most common API vulnerability and the one most APIs are designed to make easy. The framework gives you a router: `GET /api/orders/:id`. The framework gives you an ORM: `Order.findByPk(req.params.id)`. The framework gives you authentication middleware: `requireUser`. The combination feels secure — the user is logged in, the data exists. The missing piece is the third question: is this user the owner of this order? Most teams add that check eventually. Most do not add it everywhere.

Come funziona

IDOR appears when authorization is tied to knowing an object ID rather than proving ownership or permission. Attackers can use predictable or discoverable identifiers to access another user's data.

Il raggio d'azione

Mass data exfiltration. Every user's data — orders, messages, profile info, uploaded files, billing records, internal notes. In B2B SaaS, cross-tenant access often follows: the IDOR exposes data not just from one other user but from one other org. Write-side IDOR is worse: modifying others' data, deleting accounts, transferring resources, escalating roles. Compliance impact for any service handling regulated data (HIPAA, GDPR, PCI) — IDOR breaches are frequent regulator-attracting events.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Authorize every object access. The server-side check is always 'does this user own (or have access to) this object' — implemented at the data-access layer, not just at the auth gate. The cleanest pattern: every database query that touches user-scoped data includes the ownership predicate by default. ORM scopes that automatically filter by `currentUser.id` or `currentOrg.id` make this the path of least resistance. Postgres Row-Level Security policies are the strongest version — the database itself enforces ownership and your application code can't forget. For mass-assignment defense, accept only the fields your endpoint is designed to update; ignore everything else (use a strict input schema with Zod, Yup, or class-validator). Use opaque IDs (UUIDs, ULIDs) — they don't fix the vulnerability but they slow opportunistic exploitation. Finally, write integration tests that authenticate as user A and assert user B's data returns 404. Make it part of the test fixture; bake it into CI.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Sonde attive
127
test eseguiti in questa categoria
modules
48
controlli dedicati a sonde attive
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

IDOR / BOLA — Vulnerabilità in primo piano | FixVibe · FixVibe