Insecure direct object references (IDOR)
What are insecure direct object references (IDOR)?
IDOR's are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
OWASP definition:
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.
IDOR examples
IDOR vulnerability with direct reference to database objects
The following url is used by a website to access the costumer account page, by retrieving information from the back-end database:
In this url, the costumer number is used directly as a record index in queries performed on the back-end database. With no other controls in place, we can modify the customer_number value, bypassing access controls to view the records of the costumers.
We can alter the user to one with additional privileges while bypassing access controls, exploit password leakage or modify parameters once we have landed in the user's account page.
IDOR vulnerability with direct reference to static files
IDOR vulnerabilities often show up when sensitive resources are located in static files on the server-side filesystem. If a website saves its chat message transcripts to disk using an incrementing filename, and allows users to retrieve these by visiting a url similar to:
We can modify the filename to retrieve a transcript created by another user and potentially obtain user credentials and other sensitive data.
Lab
Last updated