IDOR can lead to unauthorised access to data and functions which are intended to be restricted, potentially allowing attackers to bypass access controls and perform actions like viewing sensitive files, modifying other users’ data, or accessing backend databases. Common scenarios include changing the value of a parameter in a browser’s address bar to access other users’ resources.
To protect against IDOR vulnerabilities, it is essential to implement secure access controls that do not rely solely on the possession of object references. This typically involves server-side checks to verify that the requesting user has the required permissions to access the desired object.
- Predictable References: Involves predictable and manipulable resource identifiers (like database keys or file paths).
- Authorisation Flaws: The vulnerability stems from failing to verify a user’s authorisation before providing direct object access.
- Exposure of Internal Implementation: This makes it possible to manipulate references to gain unauthorised access to data.
- Common in Web Applications: Frequently found in web applications that generate direct links to objects.
- Real-World Example: An online portal allows users to download their monthly statements by accessing a URL that contains their account number. An attacker modifies this number to another valid account number and gains unauthorised access to other users’ statements.
- Hypothetical Scenario: A cloud storage service uses predictable sequential identifiers for user files. An attacker guesses the file ID in the service URL and is able to download files belonging to other users without permission.
- Access Control: Methods used to define who can access and use company data and resources, which should prevent IDOR vulnerabilities when implemented correctly.
- Security Misconfiguration: Security flaws that result from insecure application configurations, which can include insufficient access controls leading to IDOR.
- Session Management: The process of handling user sessions within web applications. Poor session management can compound IDOR problems by failing to securely track and validate user interactions.