Insecure Direct Object Reference (IDOR) (CWE-639)

Overview

Description

IDOR (Insecure Direct Object Reference) is the most common vulnerability found in web applications and APIs. This vulnerability occurs due to unvalidated user input.

Most web-application use IDs as a reference to objects. For example, the user has a user id, which is the primary key of that entity.

Example 1

Consider a website which has user registration and login feature. After successful registration or login, it displays a profile page which contains all profile details like name, email, photo, mobile number, social security number, etc.

http://site.com/profile.php?id=111

When attacker change id to 110 URL becomes, http://site.com/profile.php?id=110 and show Profile details of another user! As ID is sequential, an attacker can quickly get all profile details using a small script, like

#!/usr/bin/env python
import requests
url = "http://site.com/profile.php?id="
for i in range(1,110):
    response = requests.get(url+i)
    file = open(i+"_response.txt", "w")
    file.write(response.text)
    file.close()

This is a simple example of IDOR. There are many such cases where IDOR may exist.

Example 2

Let's say the website http://site.com has an Update password page. After login, the user can update his password. Following HTTP Post request is sent to the server, when user clicks on update.

POST /app/customer/reset-password HTTP/1.1
Host: site.com

email=rahul@gmail.com&password=myUpdatedSecret

Then, an attacker can change email to any user's mail and send a request as,

POST /app/customer/reset-password HTTP/1.1
Host: site.com

email=victim@gmail.com&password=accountHacked

Thus, IDOR may cause account takeover.

Impact

  • Account Takeover.
  • Access to very sensitive data.
  • View / Edit / Delete data from other users.
  • User can perform an action which is not for the user.

Prevention

  • Use indirect reference maps
    • Instead of IDs, use a random alphanumeric string and map it to the actual object.
    • Store this mapping of reference to an object in a secure database at the server.
  • Implement Access Control policies.
  • Check User's Authentication and Authorization
    • Before serving each request, the Check given user is authenticated or not; if not, redirect to the login page.
    • Check whether the user requesting a particular object is authorized to do so.