So IDOMs is a category to describe web app bugs that have been around since at least 2008. In different programming languages it’s known as different names in Ruby it’s called Mass Assignment, in Java and .NET ASPX it’s called Data Binding or Reflection Binding. All these bugs have been categorized under the new IDOM name to prevent confusion. How they work is if a framework let’s you append new objects depending on the parameters you place in your request they get mapped into the application which is a dangerous practice and the only way to prevent an IDOM is to explicitly whitelist object names in the programming logic so if you don’t do this you are automatically vulnerable out of the gate. I’ve found IDOMs in so many big companies web apps especially java MVC based apps. At a recent blackhat conference in 2022 there was a presentation called “Data Binding 2 Shell” where a bunch of researchers have found severe IDOMs in popular java frameworks that led to RCE so the problem is still very much relevant to this day. Think of IDOM as writing to object data and think of IDOR as reading from object data there opposites of each other.