Email us at office@sencode.co.uk

Contact Us Today 01642 716680

IDOR

Definition: Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. This vulnerability arises when an application uses predictable references, such as a URL or form parameter, to access internal objects such as files or database keys without proper authorisation checks.

acting as a featured image for the page

IDOR can lead to unauthorised access to data and functions which are intended to be restricted, potentially allowing attackers to bypass access controls and perform actions like viewing sensitive files, modifying other users’ data, or accessing backend databases. Common scenarios include changing the value of a parameter in a browser’s address bar to access other users’ resources.

To protect against IDOR vulnerabilities, it is essential to implement secure access controls that do not rely solely on the possession of object references. This typically involves server-side checks to verify that the requesting user has the required permissions to access the desired object.

Key Characteristics:

  • Predictable References: Involves predictable and manipulable resource identifiers (like database keys or file paths).
  • Authorisation Flaws: The vulnerability stems from failing to verify a user’s authorisation before providing direct object access.
  • Exposure of Internal Implementation: This makes it possible to manipulate references to gain unauthorised access to data.
  • Common in Web Applications: Frequently found in web applications that generate direct links to objects.

Examples:

  • Real-World Example: An online portal allows users to download their monthly statements by accessing a URL that contains their account number. An attacker modifies this number to another valid account number and gains unauthorised access to other users’ statements.
  • Hypothetical Scenario: A cloud storage service uses predictable sequential identifiers for user files. An attacker guesses the file ID in the service URL and is able to download files belonging to other users without permission.

Related Terms:

  • Access Control: Methods used to define who can access and use company data and resources, which should prevent IDOR vulnerabilities when implemented correctly.
  • Security Misconfiguration: Security flaws that result from insecure application configurations, which can include insufficient access controls leading to IDOR.
  • Session Management: The process of handling user sessions within web applications. Poor session management can compound IDOR problems by failing to securely track and validate user interactions.

Related Services:

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.

    Address

    Fusion Hive
    North Shore Road
    Stockton-on-Tees
    North East
    UK
    TS18 2NB

    Resources

    Glossary Careers Privacy Policy Contact Us

    Penetration Testing

    Penetration Testing Web App Penetration Testing Network Penetration Testing Mobile App Penetration Testing Social Engineering API Penetration Test GDPR Penetration Test VAPT

    Security Assessments

    Security Assessments Vulnerability Assessment Red Team Assessment AWS Cloud Security Review Microsoft Cloud Security Review OSINT Assessment Cyber Awareness Training
    01642716680 office@sencode.co.uk
    Trustpilot

    © 2024 Sencode Limited | Company Registration Number 12265595 | VAT Number 366 0145 11 | All Rights Reserved