IDOR: Insecure Direct Object Reference

6 August 2021 - Articles
Back

In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.

Consider a URL such as: http://idor.example.com/profile?userID=793 which returns a page like:

Name: Holly Grace 
Password: MyP@ssw0rd

Now imagine that whilst I’m logged into my account I change the URL in the address bar to end: /profile?userID=792 and I get the following:

Name: Tiyler Swaft 
Password: $up3rSecret

That’s Insecure Direct Object Reference! I’ve simply changed a parameter and I’ve been able to access data that I shouldn’t, it’s as simple as that. I think it’s an often overlooked vulnerability as first of all the parameter doesn’t have to be quite as obvious as this example and secondly because automated scanners aren’t very good at picking up on this kind of issue as they wouldn’t necessarily have the intelligence to realise that I shouldn’t be able to read Miss Swaft’s profile information.

The impact isn’t just confidential data loss though, consider URLs like:

http://idor.example.com/changePassword?userID=793 http://idor.example.com/deleteAccount?userID=793

Here you could imaging the IDOR allowing for account take-over and data loss! A pretty simple vulnerability that’s based simply in an insufficient amount of authentication, where a user’s permissions are not validated before data is served.

Play Cover Track Title
Track Authors