IDOR (Insecure Direct Object Reference) is the most common vulnerability found in web applications and APIs. This vulnerability occurs due to unvalidated user input.
Most web-application use IDs as a reference to objects. For example, the user has a user id, which is the primary key of that entity.
Consider a website which has user registration and login feature. After successful registration or login, it displays a profile page which contains all profile details like name, email, photo, mobile number, social security number, etc.
When attacker change
110 URL becomes,
http://site.com/profile.php?id=110 and show Profile details of another user! As ID is sequential, an attacker can quickly get all profile details using a small script, like
#!/usr/bin/env python import requests url = "http://site.com/profile.php?id=" for i in range(1,110): response = requests.get(url+i) file = open(i+"_response.txt", "w") file.write(response.text) file.close()
This is a simple example of IDOR. There are many such cases where IDOR may exist.
Let's say the website
http://site.com has an Update password page.
After login, the user can update his password.
Following HTTP Post request is sent to the server, when user clicks on update.
POST /app/customer/reset-password HTTP/1.1 Host: site.com firstname.lastname@example.org&password=myUpdatedSecret
Then, an attacker can change email to any user's mail and send a request as,
POST /app/customer/reset-password HTTP/1.1 Host: site.com email@example.com&password=accountHacked
Thus, IDOR may cause account takeover.
- Account Takeover.
- Access to very sensitive data.
- View / Edit / Delete data from other users.
- User can perform an action which is not for the user.
- Use indirect reference maps
- Instead of IDs, use a random alphanumeric string and map it to the actual object.
- Store this mapping of reference to an object in a secure database at the server.
- Implement Access Control policies.
- Check User's Authentication and Authorization
- Before serving each request, the Check given user is authenticated or not; if not, redirect to the login page.
- Check whether the user requesting a particular object is authorized to do so.