IDOR Object Ownership Gap
What it is
Resource identifiers appear to drive object access without nearby owner or tenant predicate evidence.
This usually appears when UI state, route naming, or optimistic client branches are mistaken for server-side authorization evidence.
How to fix it
Bind object reads and writes to the authenticated user, tenant, or organization in the server-side query and add negative authorization tests.
- 1Bind object reads and writes to the authenticated user, tenant, or organization in the server-side query.
- 2Never trust client-supplied identifiers as authorization.
- 3Add negative tests that request another user's objects and expect denial.
How VibeAudit checks for this
VibeAudit checks this with CONTROL_DOMINANCE and SAST_LOCAL_STRUCTURAL route/control evidence, plus DAST_AUTHZ_2A two-actor authorization evidence when the scan includes authorized probes. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.
Related failure modes
Check your public launch surface and keep unsupported scope visible.
Run Quick Scan