What is IDOR and how to exploit it?
What is an IDOR?
IDOR Stands for Insecure Direct Object Reference and it is a type Of Access Control Vulnerability. According to OWASP IDOR occurs when a program allows direct access to objects based on user data, this is known as an unreliable direct object reference. As a result of this flaw, attackers can circumvent authorization and gain direct access to device resources, such as database records and files.
Insecure Direct Object References allow attackers to circumvent permission and gain direct access to resources by altering the value of a parameter that refers to the object directly. Such tools may include other users’ folder entries, machine files, and more.
Let us see an example of IDOR in Demo Application,
- Site: AltoroMutual
- Link: http://demo.testfire.net/
In a normal Scenario, the User will only have access to accounts with ID 800000 | 800001. But if the attacker changed the account ID to 800003, the attacker can be able to access the accounts of different users. This is due to Insecure Direct Object Reference.
Detailed attack scenario:
- Login to the application using the credentials User: admin and Password: admin.
2. As we can see that the user has only access to account number 800000 and 800001.
3.Now select 800000 Corporate in the View account details and click on go.
4.Login to the application using another user credentials User: jsmith and Password: Demo1234.
5.As we can see that the user has only access to account number 800002 | 800003 |4539082039396288 Credit Card
6.Now in above URL: http://demo.testfire.net/bank/showAccount?listAccounts=4539082039396288 as we can see the parameter.
7.But here if the attacker changed the parameter ?listAccounts=800003|800004 in the above URL. Attacker can be able to access the accounts of 800003|800004 as well.
Results for value 800003
Results for the value 800004
- As we can see that the attacker can access the data of other accounts (800003 | 800004) which shows that this application is vulnerable to Insecure Direct Object Reference(IDOR).
- Private object references, such as keys or file names, cannot be displayed by developers.
- Parameter validation should be correctly applied.
- It is necessary to double-check all the referenced items.
- Tokens should be created in such a way that they can only be mapped to the dedicated user and should not be shared with someone else.
Get In Touch
How Can We Help ?
We make your product happen. Our dynamic, robust and scalable solutions help you drive value at the greatest speed in the market