The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

When a function of an application is used to gain access to a specific resource,

it is very common to see an identifier for the requested resource being passed

to the server in a request parameter, either within the URL query string or the

body of a 

POST

URL to display a specific document belonging to a particular user:

https://wahh-app.com/ViewDocument.php?docid=1280149120

When the user who owns the document is logged in, a link to this URL is

displayed on the user’s My Documents page. Other users do not see the link.

However, if access controls are broken, then any user who requests the rele-

vant URL may be able to view the document in exactly the same way as the

authorized user.