This is the act of exploiting a misconfiguration in the way user input is handled tp access resources you wouldn't ordinarily be able to access.

For example, let's say we're logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f4c93299-4816-466e-81dd-0fc8dbc7c5be/Untitled.png

However, as you may have picked up on, there seems to be an interesting part of the URL. It seems that the note that we can view is controlled by a URL parameter, let's check if we can access other notes, by increasing the number to 2.

Woohoo! We can access other's notes. While this may seem dramatic, exploiting this is the real world can have drastic consequences. Let's say you found an IDOR vulnerability in a note keeping site, which allowed you to access the notes of others, you could find plenty of personal details, like passwords, usernames, even credit card information.