Another aspect of IDOR is missing functional level access rights. The application might have missed implementing function-level access rights, and so anyone with network access will be able to send a request and get a response rather than just the specific user who has privileges. For instance, an admin URL should not be available to a user who does not have admin-level access rights.

APIs with insufficient protection for sensitive request handlers within an application fall into the category of missing functional-level access rights vulnerability, and so allow hackers to penetrate the application without the necessary authorization.

Testing aspects of this vulnerability should focus on two essential scenarios—whether the user can directly browse a resource, and whether the UI accessing the API resources expose an unauthorized resource to that UI.