IDOR: Insecure Direct Object Reference

Author: HollyGraceful    Published: 06 August 2021    Last Updated: 03 July 2023

In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.

Consider a URL such as: http://idor.example.com/profile?userID=793 which returns a page like:

Name: Holly Grace
Password: MyP@ssw0rd 

Now imagine that whilst I’m logged into my account I change the URL in the address bar to end: /profile?userID=792 and I get the following:

Name: Tiyler Swaft
Password: $up3rSecret 

That’s Insecure Direct Object Reference! I’ve simply changed a parameter and I’ve been able to access data that I shouldn’t, it’s as simple as that. I think it’s an often overlooked vulnerability as first of all the parameter doesn’t have to be quite as obvious as this example and secondly because automated scanners aren’t very good at picking up on this kind of issue as they wouldn’t necessarily have the intelligence to realise that I shouldn’t be able to read Miss Swaft’s profile information.

The impact isn’t just confidential data loss though, consider URLs like:

http://idor.example.com/changePassword?userID=793 
http://idor.example.com/deleteAccount?userID=793 

Here you could imaging the IDOR allowing for account take-over and data loss! A pretty simple vulnerability that’s based simply in an insufficient amount of authentication, where a user’s permissions are not validated before data is served.