IDOR: Insecure Direct Object Reference
Author: HollyGraceful Published: 06 August 2021 Last Updated: 03 July 2023
In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.
Consider a URL such as: http://idor.example.com/profile?userID=793 which returns a page like:
Name: Holly Grace Password: MyP@ssw0rd
Now imagine that whilst I’m logged into my account I change the URL in the address bar to end: /profile?userID=792 and I get the following:
Name: Tiyler Swaft Password: $up3rSecret
That’s Insecure Direct Object Reference! I’ve simply changed a parameter and I’ve been able to access data that I shouldn’t, it’s as simple as that. I think it’s an often overlooked vulnerability as first of all the parameter doesn’t have to be quite as obvious as this example and secondly because automated scanners aren’t very good at picking up on this kind of issue as they wouldn’t necessarily have the intelligence to realise that I shouldn’t be able to read Miss Swaft’s profile information.
The impact isn’t just confidential data loss though, consider URLs like:
Here you could imaging the IDOR allowing for account take-over and data loss! A pretty simple vulnerability that’s based simply in an insufficient amount of authentication, where a user’s permissions are not validated before data is served.