> For the complete documentation index, see [llms.txt](https://666isildur.gitbook.io/ethical-hacking/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://666isildur.gitbook.io/ethical-hacking/web-app-pentesting/broken-acess-controls/insecure-direct-object-references-idor.md). # Insecure direct object references (IDOR) ## What are insecure direct object references (IDOR)? IDOR's are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. ### OWASP definition: > Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. ## IDOR examples ### IDOR vulnerability with direct reference to database objects The following url is used by a website to access the costumer account page, by retrieving information from the back-end database: ``` https://insecure-website.com/customer_account?customer_number=132355 ``` In this url, the costumer number is used directly as a record index in queries performed on the back-end database. With no other controls in place, we can modify the `customer_number` value, bypassing access controls to view the records of the costumers. We can alter the user to one with additional privileges while bypassing access controls, exploit password leakage or modify parameters once we have landed in the user's account page. ### IDOR vulnerability with direct reference to static files IDOR vulnerabilities often show up when sensitive resources are located in static files on the server-side filesystem. If a website saves its chat message transcripts to disk using an incrementing filename, and allows users to retrieve these by visiting a url similar to: ``` https://insecure-website.com/static/12144.txt ``` We can modify the filename to retrieve a transcript created by another user and potentially obtain user credentials and other sensitive data. #### Lab {% content-ref url="/pages/-MExVFOp2oNuxXV0hJLg" %} [Insecure direct object references lab](/ethical-hacking/web-app-pentesting/broken-acess-controls/insecure-direct-object-references-idor/insecure-direct-object-references-lab.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://666isildur.gitbook.io/ethical-hacking/web-app-pentesting/broken-acess-controls/insecure-direct-object-references-idor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.