Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
Example will be changing query string (by guessing number/string) in url after user is authenticated. If server does not verify if user is authorized to access requested data, then user can easily gain access to unauthorized data, by just changing the input parameter. (getdetail?userName=Mike)
So the most important thing to mitigate this will be verify if user is authorized to access data which user is requesting, meaning implementing access control check. If possibly mask input parameter with key which is valid only for that session like session id. This way you not directly exposing something which can be guessed directly.
Example will be changing query string (by guessing number/string) in url after user is authenticated. If server does not verify if user is authorized to access requested data, then user can easily gain access to unauthorized data, by just changing the input parameter. (getdetail?userName=Mike)
So the most important thing to mitigate this will be verify if user is authorized to access data which user is requesting, meaning implementing access control check. If possibly mask input parameter with key which is valid only for that session like session id. This way you not directly exposing something which can be guessed directly.
