An Insecure Direct Object Reference can be one of the easiest bugs yet they can have a very big impact. IDOR is still a bug present in many websites. It was ranked 4th in the OWASP 2013 and is still present in the OWASP 2017 on the 5th place as part of Broken Access Control.

What is an IDOR?

”Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input.” OWASP

A simple example would be if you were looking at one of your messages and the URL looks like this https://www.example.com/message?id=31336. What would happen if you changed the id to 31337. Maybe you are able to see the message of another user?

To learn more about IDOR you should go and watch this awesome video by PwnFunction giving an extensive explanation and examples about Insecure Direct Object References.


Some key takeaways:

  • An IDOR can be used to create, read, update and delete data from other users
  • IDOR with an UUID? Try to find an endpoint where other users UUID are leaked
  • See if you can find a bypass with HTTP Parameter Pollution

I found an IDOR! – Did you really?

One of the questions you should ask yourself is, is this really an issue or is it intended behavior. Is there a security impact? (You should really ask this question to yourself every time before submitting!)

Some examples of people who misunderstood the behavior of the application.

You found an IDOR but the ID is an UUID or just a long random string. Unless you can find someone else’s UUID in the web application it would be very hard to guess it (aka closed as Not Applicable)

Impact

It is hard to say what the potential impact of IDOR as it depends on what kind of data the attacker can get a hold on. Because an IDOR is often very easy to exploit, means that it is very likely to be abused. Below you can find some write-ups that show how high of an impact IDOR can have.

Exposing personal data

A great example that shows that you don’t always need a numeric id for finding IDOR’s (John H4X00R)

An example of how incrementing by one can earn you a big bounty. IDOR disclosing private attachments in Facebook Messenger (by Sarmad Hassan)

Editing or adding data

Always keep an eye out for new features! IDOR on Instagram (by Sarmad Hassan)

Publish tweets by any other user (by Kedrisec)

Account takeover

A write-up by our best researcher on how a simple IDOR could lead to an account takeover (by Arne Swinnen)

Taking it a step further. IDOR leads to account takeover (by s0cket7)

How to prevent IDOR?

The best way to prevent IDOR is to perform an access control check to see if the user is authorized to access the requested object.

A blog post from Troy Hunt his OWASP TOP 10 for .NET developers serie

Insecure Direct Object Reference Prevention Cheat Sheet by OWASP

Want more?

Want to know where to find IDORs? A tutorial by security researcher zseano sharing some tips & tricks about IDOR.

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.