Insecure Direct Object Reference
Insecure Direct Object Reference, more commonly known as IDOR, is a permission-based vulnerability which allows an attacker to access or modify resources belonging to other users of the web application, or rather resources which are not allowed to be controlled by the attacker. The basic fundamental behind IDOR is that an endpoint of a web application tries to display or modify some resource such as a message, image, or file using a user-supplied (or user-controlled) identifier in the request but doesn't check whether the user has enough permission to accomplish the task.
IDOR is not a new vulnerability but I purposely included this section because of the severity or impact of it. Another reason is that XSS and CSRF is harder to discover now because nowadays, web development frameworks such as Rails or Django have built-in filters for XSS and token mechanisms for CSRF, whereas IDOR is a permission-related problem and cannot be fixed automatically or by default...
