Skip to content

IDOR (Insecure Direct Object References)

Vulnerability Name

IDOR on [Parameter] in [Module/Functionality]

Vulnerability Description

Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application's URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.

Add your specific vulnerability description if required, the one given above is a general description.

Steps to Reproduce

  1. Login to the application.
  2. Go to [Affected URL] and alter [Vulnerable Parameter] value to something else.
  3. Observe as you should see the information of the another user through your account.

POC

Modify the steps to reproduce above if required. Attach snapshots (POC) or a video link here.

Impact

Attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.

Add your specific impact if required, the one given above is a general impact.

Remediation

  • Never rely on obfuscation alone for access control.
  • Unless a resource is intended to be publicly accessible, deny access by default.
  • Wherever possible, use a single application-wide mechanism for enforcing access controls.
  • At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.

Add your specific remediation if required, the above is a general remediation.

Reference