What is IDOR
Insecure direct object reference is type of access control vulnerability in digital security. this can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal databases but does not check for access control or authentication
IDOR and OWASP Top 10 The OWASP
Top 10 is an expertly compiled list of security vulnerabilities that occur with the highest intensity and cause the most known damage. The list is based on input from security experts from various communities and is usually updated every 3-4 years. IDOR appeared in the 2017 list. This term is used to explain cyber attacks where a threat actor directly attacks reference objects to gain unauthenticated access to a restricted resource or application. The OWASP IDOR definition reveals that vulnerable web pages or applications tend to display a direct reference to an internally implemented object such as a user ID. This makes the actual link/identifier or its format public. With its help, an unwanted user can access the resources/operations owned by the web application.
Insecure direct object reference – Example
Example-1:
Idor performed using the user-controlled parameter values, is very common and can be seen around ,here I am going to explain in a simply way
EXAMPLE FOR IDOR VULNERABILITY INTO DATABASE
suppose that there is a website https://hackerinthehouse.in/blog here lets suppose Neha is hacker now she visits signup and visits her account https://hackerinthehouse.in/blog/account?id=1234 she will observe the link look out for parameter and etc.. now he will look into header her eyes falls to id=1234, quickly he can just change simply into id=1235 then boom she got able to access the another person account then there is vulnerability
Example-2:
lets assume Neha and Soumya are rivals here they both visits there favorite comic site called https://bridescomicxyz.com here both has account of https://bridescomicxyz.com. Neha visits profile site of Soumya https://bridescomicxyz.com/profile/user?=45 intercept the request in burp suit and closely watch and manage to find token id and quickly copy the token id now she got token id its time to account takeover after logging in her account again she intercept and replace the token id and push to forward boom account takeover https://bridescomicxyz.com/profile/user?=45 TO —> https://bridescomicxyz.com/profile/user?=55
Impacts of idor vulnerability
- Expose of confidential information : here attacker can easily take full control over victims account and access the personal information
- Changes to data: If attacker has access to victims account then its not difficult him to make changes into data without victims permission , which may also leads manipulation of records
- Account Takeover: While an attacker may have multiple access to user accounts just by changing the “UID” values, this will lead to account takeover vulnerability
Mitigation of vulnerability
- Developers needs to avoid displaying private object reference such as keys or files and names
- Should be focus on Validation of parameter’s to be implemented properly
- Needs verification of all the references objects should be done.
- tokens should be generated in a such way that it should only be mapped to the user and should not public
Thank you for reading this and have a nice stay there!