Insecure Direct Object Reference – IDOR Vulnerability
Apr 27, 2022
6 min read
In this article:
When a web server processes a user’s request, it determines the resource being accessed by using parameters stated within the HTTP request. The direct object reference is the information used to locate and access a particular resource. While the server is retrieving a resource, attackers can manipulate these parameters and access internal implementation object details in the event of a lack of adequate server-side validation. This attack is known as an Insecure Direct Object Reference (IDOR) vulnerability.
This article explains what Insecure Direct Object References are, their impacts, and possible remediation plans.
What is Insecure Direct Object Reference?
An Insecure Direct Object Reference flaw occurs when the server fails to validate incoming HTTP requests to access objects. Since the application cannot determine the authenticity of the user trying to access an object, it reveals the underlying object details to the attackers. Attackers thereby gain unauthorized access to the object and modify the value of the ID parameter for the object to fulfill their adversary acts. As a result, users can be redirected to access harmful pages without their knowledge. In the worst case, users’ sensitive personal and financial details can also be compromised.
The Insecure Direct Object References vulnerability arises as a consequence of three security gaps: