Insecure Direct Object Reference
API resources' identifiers should be unpredictable.
For instance, MongoDB identifiers are not unpredictable and can be guessed.
An unpredictable identifier is not enough to secure the access to the resources.
The API should verify access permissions for each resource.
Last updated