Insecure Direct Object Reference (IDOR)

What is Insecure Direct Object Reference (IDOR)?
IDOR vulnerabilities arise when an application fails to authenticate the request which refers to the sensitive objects. IDOR is the vulnerability of the Broken Access Control of OWASP Top 10 (A5).
How does an IDOR work?
An attacker finds the request which is not authenticated by the application and sends the request to the server and retrieves the sensitive information. Once any request found with IDOR, it shows the weak access control of the application. Generally, applications vulnerable to IDOR may have multiple requests with the same vulnerability. Sometimes an application may be vulnerable to IDOR to static files, in such case everyone who has the URL of the static file, can access the file.
What attacker can do by exploiting IDOR?
Depending upon the request which is vulnerable to IDOR, an attacker may retrieve a lot of sensitive information like user details, customer details, sensitive files like proposals, SSN, credit card details of users, etc.
Example:
Suppose an application has a request to get user details as shown below:

https://www.vulnerablesite.com/userdetails?user_id=xyz

Let's assume, if the above request does not require any authentication or does not authorize the user before providing details, an attacker can get user details of the user with user_id=xyz. 
Sometimes, static files also may be vulnerable to IDOR as shown in the example below:

https://www.vulnerablesite.com/uploads/document/creditcard.csv

If the above request has not proper authorization checks, anyone with the URL can access the credit card list.
How to prevent IDOR?
The developer must configure an application with the proper authorization structure for each module and each user role for each request which references to object with sensitive information.

0 Comments