Rajan Sharma

14

What is IDOR and how to exploit it?

By Rajan Sharma

Last updated cal_iconMay 10, 2021

What is an IDOR?

IDOR Stands for Insecure Direct Object Reference and it is a type Of Access Control Vulnerability. According to OWASP IDOR occurs when a program allows direct access to objects based on user data, this is known as an unreliable direct object reference. As a result of this flaw, attackers can circumvent authorization and gain direct access to device resources, such as database records and files.

Insecure Direct Object References allow attackers to circumvent permission and gain direct access to resources by altering the value of a parameter that refers to the object directly. Such tools may include other users’ folder entries, machine files, and more.

Let us see an example of IDOR in Demo Application,

In a normal Scenario, the User will only have access to accounts with ID 800000 | 800001. But if the attacker changed the account ID to 800003, the attacker can be able to access the accounts of different users. This is due to Insecure Direct Object Reference.

Detailed attack scenario:

  1. Login to the application using the credentials User: admin and Password: admin.

2. As we can see that the user has only access to account number 800000 and 800001.

3.Now select 800000 Corporate in the View account details and click on go.

4.Login to the application using another user credentials User: jsmith and Password: Demo1234.

5.As we can see that the user has only access to account number 800002 | 800003 |4539082039396288 Credit Card

6.Now in above URL: http://demo.testfire.net/bank/showAccount?listAccounts=4539082039396288 as we can see the parameter.

7.But here if the attacker changed the parameter ?listAccounts=800003|800004 in the above URL. Attacker can be able to access the accounts of 800003|800004 as well.

Results for value 800003

http://demo.testfire.net/bank/showAccount?listAccounts=800003

Results for the value 800004

http://demo.testfire.net/bank/showAccount?listAccounts=800004

  1. As we can see that the attacker can access the data of other accounts (800003 | 800004) which shows that this application is vulnerable to Insecure Direct Object Reference(IDOR).

Mitigation:

  • Private object references, such as keys or file names, cannot be displayed by developers.
  • Parameter validation should be correctly applied.
  • It is necessary to double-check all the referenced items.
  • Tokens should be created in such a way that they can only be mapped to the dedicated user and should not be shared with someone else.
WEBSOCKETS WITH NODEJS What is React Hooks Data Modeling with MongoDB MULTIDIMENSIONAL GROUPING in MongoDB Using $facet Aggregation 50 JS Shorthand Book

Get In Touch

How Can We Help ?

We make your product happen. Our dynamic, robust and scalable solutions help you drive value at the greatest speed in the market

We specialize in full-stack software & web app development with a key focus on JavaScript, Kubernetes and Microservices
Your path to drive 360° value starts from here
Enhance your market & geographic reach by partnering with NodeXperts