Insecure Direct Object Reference (IDOR)

Description

Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application's URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

Remediation

Preventing insecure direct object references requires selecting an approach for protecting each user-accessible object (e.g., object number, filename): * Use per-user or per-session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a dropdown list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application then maps the per-user indirect reference back to the actual database key on the server. OWASP’s ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references. * Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

References

Severity

Owasp

Code: A01:2021

Category: Broken Access Control

Classification