IDOR (Insecure Direct Object Reference) vulnerabilities are the leading cause of cross-tenant data leaks in multi-tenant SaaS apps. Aikido Zen, an open-source in-app firewall, now prevents IDORs at runtime by parsing every SQL query using a Rust-based SQL parser (compiled to WebAssembly), checking that each query includes the correct tenant filter. If a query is missing the tenant_id filter or uses the wrong value, Zen throws an error immediately during development or testing. The post compares Zen to other approaches like framework-level ORM libraries (acts_as_tenant, django-multitenant) and PostgreSQL Row-Level Security, detailing trade-offs of each. Zen's approach is ORM-agnostic, uses AST-based SQL parsing for correctness, caches parsed queries for performance, and provides an escape hatch for admin/cross-tenant queries. Currently available for Node.js, with Python, PHP, Go, Ruby, Java, and .NET support coming soon.
Table of contents
TL:DRWhy IDORs are more dangerous nowWhy detection is not enoughWhat does an IDOR vulnerability look like?Where Zen fits inHow Zen protects against IDORsThe road to production: eating our own dog foodHow we protected our API that serves cloud asset dataDetection & preventionGetting startedSort: