Glossary
IDOR (Insecure Direct Object Reference)
An access control vulnerability where a user can access other users' resources by modifying an identifier in the request (numeric ID, UUID). IDORs are common in REST APIs and allow viewing, modifying, or deleting other users' data. It is one of the most frequently found flaws during SMB audits.
How IDOR gets exploited in HR SaaS
In HR, payroll, or recruiting software, almost every resource sits behind an identifier: employee record, payslip, contract, application. An IDOR appears when the API checks that the user is logged in, but not that the requested resource belongs to them. Changing /api/employees/1842 to /api/employees/1843 is then enough to read another company's employee record. Sequential IDs make it worse: a script can enumerate the entire database in minutes. UUIDs reduce enumeration but don't fix the flaw — if a UUID leaks through an email, export, or log, the resource remains accessible without any check.
A concrete payroll example
A typical audit finding: a payslip download endpoint like /api/payslips/download?id=98123, authenticated for the current user but with no ownership check on the identifier. Result: any logged-in employee can download payslips across the whole platform, including other client companies. Under GDPR, that is a personal data breach — salaries, addresses, social security numbers.
How CleanIssue detects IDOR
During an external review we systematically test identifier-driven endpoints: incrementing IDs, swapping identifiers between two test accounts, replaying requests from one tenant against another. Every finding ships with a reproducible proof and a business impact assessment — which employee data is actually exposed. IDOR is one of the most frequent flaws in our HR SaaS audits, and one of the simplest to fix: a systematic server-side ownership check.
Frequently asked questions
What is the difference between IDOR and BOLA?
BOLA (Broken Object Level Authorization) is the same problem framed for APIs — it is #1 in the OWASP API Security Top 10. IDOR is the historical web-application term. Both describe a missing object-level authorization check.
Do UUIDs protect against IDOR?
No. UUIDs make enumeration harder but are not an access control. If a UUID is exposed in a shared URL, export, or log, the resource stays accessible to whoever holds it. The only reliable fix is a server-side ownership check on every request.
Is an IDOR in HR software a GDPR breach?
If the flaw was exploited and personal data (payslips, contracts, contact details) was accessed by an unauthorized party, it is a data breach under GDPR Article 33, potentially notifiable to the supervisory authority within 72 hours. Finding and fixing these flaws before an incident is part of the Article 32 security obligation.