IDOR

👉 Overview

👀 What ?

Insecure Direct Object Reference (IDOR) is a type of security vulnerability that occurs when a system allows access to its resources using input from the user directly. This can lead to unauthorized access or data leakage if the system doesn't properly validate or restrict access to these resources.

🧐 Why ?

IDOR is important because it exposes a critical flaw in the system's access control mechanism. If exploited, it can lead to unauthorized access to sensitive data, which can have severe consequences such as identity theft, data loss, or other security breaches. Hence, understanding IDOR is essential for both developers and cybersecurity professionals to build and maintain secure systems.

⛏️ How ?

To exploit an IDOR vulnerability, an attacker modifies the value of a parameter in the URL or even in the body of an HTTP request to access unauthorized data. To prevent IDOR, it is essential to implement proper access control checks and avoid exposing direct references to internal resources. Always validate incoming requests and ensure they have the appropriate permissions for the requested action.

⏳ When ?

The term IDOR and its associated risks have been recognized and documented as a common web application vulnerability since the early 2000s. It became more widely known after being included in the OWASP (Open Web Application Security Project) Top 10 list of most critical web application security risks.

⚙️ Technical Explanations

In an IDOR scenario, suppose a URL or a HTTP request body includes a reference to an internal implementation object, like a file, a directory, a database record, etc. When the application exposes this reference to the user, they can manipulate it to access unauthorized data. For example, if a URL includes a parameter like 'accountID=123', an attacker could change '123' to '124' to attempt to access another user's account. If the application doesn't properly validate this input, the attacker may be able to access and possibly modify the other user's data.