This vulnerability occurs when an application uses actual reference identifiers (IDs), names, or keys to create web pages or URLs, and the application does not verify the authenticity of the user to access the requested page. An attacker may change the parameters in the URLs to detect such vulnerabilities.

In an application, the data of a user will not be accessible for another user. Check the following script sample; It will iterate through the users and check the data is visible for the logged-in user:

import mechanize 
 
url = "http://www.webscantest.com/business/access.php?serviceid=" 
 
attackNumber = 1 
 
for i in range(5): 
 
    res = mechanize.urlopen(url+str(i)) 
 
    content = res.read() 
   
 
    #  check if the content is accessible 
 
    if content.find("You service") > 0: 
 
         print "Possible Direct Object Reference" 
 
          
...