๐ŸŒ Web Vulnerabilities

Insecure Direct Object References (IDOR)

Insecure Direct Object References (IDOR) are a type of access control vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, for example database records or files.

Common Types of IDOR Vulnerabilities

  • Horizontal Privilege Escalation: An attacker can access resources that belong to other users.
  • Vertical Privilege Escalation: An attacker can access resources that belong to users with higher privileges.

Prevention Methods

  • Implement Proper Access Control Checks: For every request, the application should check that the user is authorized to access the requested object.
  • Use Indirect Object References: Instead of using direct object references (e.g., id=123), you can use indirect object references (e.g., id=a8d9f0). An indirect object reference is a random and unpredictable value that is mapped to the direct object reference on the server.
  • Don't Expose Direct Object References: If you are using direct object references, you should not expose them in the URL. Instead, you should store them in the user's session.