BreachFound
Start Scan ($10)
Broken access control / IDOR

IDOR scanner for modern apps and APIs

IDOR flaws are among the fastest ways to expose customer data in production. BreachFound helps teams run a focused first-pass scan for object-level authorization issues before launch, enterprise review, or a larger manual pentest.

Scan your app for authorization flaws View Sample Report

What IDOR means in practice

IDOR, or insecure direct object reference, is what happens when an application exposes internal identifiers without enforcing proper object-level authorization.

In practice, one authenticated user can request or modify another user’s resource simply by changing an identifier in a URL, request body, or API parameter.

Why IDOR is dangerous for SaaS and APIs

IDOR issues often lead directly to customer data exposure, cross-tenant access, or unauthorized actions in billing, account, support, or admin flows.

For startup products, this category matters because it creates immediate trust, compliance, and sales risk long before a full platform security program is in place.

  • Customer record exposure
  • Cross-account data access
  • Unauthorized updates or exports
  • Enterprise review blockers

Common places IDOR appears

IDOR patterns often show up in profile endpoints, document exports, billing APIs, support tools, internal admin routes, and any feature where resource IDs are passed directly between client and server.

  • User profile or account routes
  • Invoice, billing, or export endpoints
  • Customer support dashboards
  • File download and object storage access

What BreachFound checks

BreachFound is positioned as a low-cost first-pass scan for auth and access-control risk. It helps teams identify whether object-level authorization failures may exist in the tested app or API surface.

If findings matter, teams can unlock the technical report and use it to decide whether broader manual testing is needed.

What automated IDOR scanning cannot prove

No automated workflow replaces every human review path. Deep business-logic abuse, highly contextual authorization chains, or source-level ownership reasoning can still require manual testing.

When to use BreachFound vs a manual pentest

Use BreachFound when you need a fast first pass before launch, customer due diligence, or a broader purchasing decision. Use a manual pentest when you need deep business-logic review, broad adversarial testing, or formal assurance.

What we test
Open resource
Sample report
Open resource
Methodology
Open resource

FAQ

Is this only for public APIs?

No. IDOR flaws can exist in web apps, internal dashboards, customer portals, and API-first products. The important factor is whether object identifiers are exposed without strong authorization checks.

Can a cheap first-pass scan still be useful for IDOR?

Yes. It is often a strong early filter before launch or enterprise review. The point is to catch obvious and high-impact access-control issues sooner, then escalate if the risk profile requires deeper manual work.

Does this replace a full broken access control review?

No. It helps you reduce uncertainty quickly, but broader authorization design review can still require human-led testing.

Use BreachFound to reduce uncertainty before launch or review.

Start with a focused first-pass scan, then decide whether to unlock findings or go deeper with broader manual testing.

Start Scan