Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page
  • What are insecure direct object references (IDOR)?
  • OWASP definition:
  • IDOR examples
  • IDOR vulnerability with direct reference to database objects
  • IDOR vulnerability with direct reference to static files

Was this helpful?

  1. Web App Pentesting
  2. Broken Acess Controls

Insecure direct object references (IDOR)

What are insecure direct object references (IDOR)?

IDOR's are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

OWASP definition:

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.

IDOR examples

IDOR vulnerability with direct reference to database objects

The following url is used by a website to access the costumer account page, by retrieving information from the back-end database:

 https://insecure-website.com/customer_account?customer_number=132355 

In this url, the costumer number is used directly as a record index in queries performed on the back-end database. With no other controls in place, we can modify the customer_number value, bypassing access controls to view the records of the costumers.

We can alter the user to one with additional privileges while bypassing access controls, exploit password leakage or modify parameters once we have landed in the user's account page.

IDOR vulnerability with direct reference to static files

IDOR vulnerabilities often show up when sensitive resources are located in static files on the server-side filesystem. If a website saves its chat message transcripts to disk using an incrementing filename, and allows users to retrieve these by visiting a url similar to:

 https://insecure-website.com/static/12144.txt 

We can modify the filename to retrieve a transcript created by another user and potentially obtain user credentials and other sensitive data.

Lab

PreviousBroken Acess ControlsNextInsecure direct object references lab

Last updated 4 years ago

Was this helpful?

Insecure direct object references lab