Insecure direct object references (IDOR)

IDOR

Category: Broken Access Control

Severity: High

Description

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.

Impact

  • Unauthorized Data Access

  • Account Takeover

  • Information Disclosure

Remediation

Access control vulnerabilities can be prevented by taking a defense-in-depth approach and applying the following principles:

  • Never rely on obfuscation alone for access control.

  • Unless a resource is intended to be publicly accessible, deny access by default.

  • Wherever possible, use a single application-wide mechanism for enforcing access controls.

  • At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.

  • Thoroughly audit and test access controls to ensure they work as designed.

Reference

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References

PreviousHSTSNextLFI

Last updated