IDOR (Insecure Direct Object Reference) vulnerabilities are a common developer oversight that can affect any platform, including OutSystems. The post explains how IDOR occurs when client-side validation is not mirrored on the server side, allowing attackers to manipulate URL parameters or request data to access or delete records belonging to other users. An open-source tool called OutSystems Analyzer is introduced, which scans an application's URL to identify potential IDOR points. The post walks through a controlled example showing how an 'Edit' parameter exposed in the URL can alter screen behavior, and how a missing server-side check on a delete action can allow unauthorized record deletion — with serious LGPD/GDPR implications.
Sort: