Insecure Direct Object References (IDOR)

Introduction

• IDOR refers to the ability to interact directly with object by using a reference to their identifier

• An example of IDOR is whenever a web application uses a guessable id value that can be directly modified by the user (e.g. an id in the URL)

• As web applications store users' files and information, they may use sequential numbers or user IDs to identify each item.

• IDOR can lead to accessing data that should not be accessible by attackers.

• What makes this attack very common is essentially the lack of a solid access control system on the back-end.

• IDOR "becomes" BROKEN ACCESS CONTROL whenever a user can access other objects which he doesn't have permissions for (e.g. other user's data or admin data)

Detecting potential IDOR Vulnerabilities

1. Example: GET request with a specific reference to an object by using ?id=NUMBER

2. Example: POST request with a specific reference (in its body) to an object by using ?id=NUMBER

3. Example: POST request with specific user-permissions-related parameters such as user role o permissions or "url":"/abc/data/users/1"