Insecure direct object references (IDOR)

What is IDOR?

Insecure Direct Object References(IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.

IDOR Handbook

• IDOR Handbook

Burp Extensions

• Authz - https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e

• AuthMatrix - https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e

• Autorize - https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

References

• https://www.youtube.com/watch?v=rloqMGcPMkI

• https://portswigger.net/web-security/access-control/idor

• https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE/blob/master/10-part-100-article/exploit/How-To:%20Find%20IDOR%20(Insecure%20Direct%20Object%20Reference)%20Vulnerabilities%20for%20large%20bounty%20rewards.pdf

• https://ninadmathpati.com/how-critical-is-idor-vulnerability-can-it-take-down-a-whole-company/

• https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489

• https://medium.com/cyberverse/automating-burp-to-find-idors-2b3dbe9fa0b8