Insecure Direct Object Reference
sanket narawade
What is IDOR ?, What are the different types of IDOR ?, How to find IDOR ?, How to prevnt IDOR?
Defination :
It is vulnerability that occurs when an application allows users to access resources by directly referencing an object identifier without proper access control. Attacker can manipulate these references to access or modify unauthorized data.
Types of IDOR
1) URL Parameter IDOR : This occurs when object references (e.g. User ID’s, Order ID’s) are present in the URL and can be modified.
Example : GET /profile?user_id=1234 —> Attacker can change.
GET/profiel?user_id=1235
If the application is not validate the ownership of ‘User_id=1235‘ Attacker can view another user’s profile.
2) REST API IDOR : Occurs when an API endpoints expose the resource without proper authentication and authorization
Example : GET /api/users/5678 —> Attacker can change
GET /api/users/5679
If there is no access control .The attacker can retreive another users data.
3) Body Parameter IDOR: When user-controlled parameter is using POST/PUT requests. allow unauthorized modification.
Example : POST /api/update_email
{‘user_id’=9999,’email’=’attacker@example.com’}
If the server is not validating ownership “user_id=9999“. Attacker can change the user_id and change the user email. Consider as “Account Takeover”.
4) Cookie-Based IDOR : If user identifiers are stored in cookies and not validated. Attacker easily modify them and impersonate other users.
Example: Cookie: session_id=abcd1234 ; user_id=1234 —> Attacker can change.
Cookie: session_id=abcd1234; user_id=1235
If “user_id“ of the user is get modify it lead to “Session Hijacking“,“Privilege Escalation“.
5) File Access IDOR : If file access can be predictable by Identifier in the URL or request parameter
Example : GET /download?file=invoice_1234 —> Attacker can change.
GET /download?file=invoice_1235
If the system does not validate the access. the attacker can download someone else’s invoice. This can lead “Unauthorized File Access“ and “Data Breaches“.
How to find IDOR ?
1) Identify the endpoints which referencing the user-specific resources.
2) Using tool like “Burp Suite Intruder” , “FFUF“ , “Arjun“ Tools to find ID’s
3) Test API Endpoint to get user-related fields.
4) Look predictable session tokens or authorization flaws.
5) Modify the Object ID’s and Observe response.
How to prevent IDOR
1) Implement Server Side Authorization to check before granting access.
2) Implement UUID insted of Sequential ID’s to prevent enumeration.
3) Enforce (“Role-Based-Access-Control“).
4) Validate the user input and session token before processing requests.
5) Implement least privilege access principles to restrict object access.
Subscribe to my newsletter
Read articles from sanket narawade directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by