What it is#
lives in URLs, path parameters, request bodies, and GraphQL variables. The pattern is always the same: the client supplies an identifier, the server fetches the corresponding row, and the server never checks whether the caller actually owns it. Sequential numeric IDs make trivial to automate; UUIDs slow discovery but do not fix the underlying authorisation gap.
Why it matters#
is usually a horizontal privilege escalation — one user reading another user’s data — but can become vertical when admin objects share the same namespace. The class is devastating to multi-tenant services, where a single in a shared endpoint can expose data across every customer on the platform.
Mitigation direction#
Every authenticated request that acts on an identifier must run a server-side ownership check. Centralise the check in a policy layer so it cannot be forgotten per-endpoint. Bind identifiers to the authenticated subject at issue time — signed capability URLs or tenant-scoped IDs remove ambiguity entirely.