diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
index 462af455af367..3d2db41a83ca0 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
@@ -12,7 +12,7 @@ import ActionMethods
 // Other queries check that there are authorization checks in place for admin methods.
 private predicate needsChecks(ActionMethod m) { m.isEdit() and not m.isAdmin() }
 
-private Expr getParentExpr(Expr ex) { result = ex.getParent() }
+private Expr getParentExpr(Expr ex) { result.getAChildExpr() = ex }
 
 /**
  * Holds if `m` has a parameter or access a remote flow source
@@ -41,7 +41,7 @@ private predicate checksUser(ActionMethod m) {
 
 /**
  * Holds if `m` is a method that modifies a particular resource based on
- * and ID provided by user input, but does not check anything based on the current user
+ * an ID provided by user input, but does not check anything based on the current user
  * to determine if they should modify this resource.
  */
 predicate hasInsecureDirectObjectReference(ActionMethod m) {
diff --git a/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp b/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp
index fc31d45267d63..8e82ac6f1bb61 100644
--- a/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp	
+++ b/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp	
@@ -5,7 +5,7 @@
 <overview>
 <p>When an action method accepts an ID parameter used to control which resource (e.g. a comment, a user profile, etc) 
 is being accessed/modified, checks should me made to ensure that the current user is authorized to access that resource. 
-Otherwise, an attacker could access an arbitrary resource by modifying the ID parameter.</p>
+Otherwise, an attacker could access an arbitrary resource by guessing the ID parameter.</p>
 
 </overview>
 <recommendation>