What are insecure direct object references (IDOR)?

Insecure direct object reference (IDOR) is a security risk that refers to the act of using an identifier for direct access to an internal object without any additional authorization checks.

Most webpages generate user ids, cookie ids, and other identifiers iteratively, e.g., a user may have the id 1024, and the very next user will have the id 1025. The requests made to the database will be:

$http://www.abank.com/transaction.php?id=1024$

IDOR vulnerability makes the webpage susceptible to hackers as they can gain access to other users’ data by merely changing the id:

$http://www.abank.com/transaction.php?id=1025$

Common types of IDOR vulnerabilities

IDOR vulnerabilities can be used to exploit filenames to download unauthorized files by changing the filename:

$http://www.ifiles.com/download\_file.php?a.txt$

IDOR vulnerabilities can be used to change passwords of different users by hijacking their ids and accessing their accounts:

$http://www.ifiles.com/change\_password.php?id=1024$

IDOR vulnerabilities can be used to hijack cookies of users that include their saved passwords and additional sensitive information, by merely replacing the cookie ID:

$http://www.ifiles.com/cookieid=002891981$

IDOR vulnerabilities can also be used to gain access to the server and display files that users could not see otherwise:

$http://www.ifiles.com/display\_file?../../../../etc/passwd$

Prevention

• Most frameworks now come with built-in methods to avoid these vulnerabilities. Use these built-in tools to improve the security of the web app.

• One of the ways users can ensure the safety of their web apps is by making sure that no data is transmitted in cleartext. Users can hash passwords or ids and then transmit the data.

• Another prevention method is to ensure that no ids are generated iteratively, rather they should be generated randomly. The larger the possibilities, the more time it will take hackers to guess the cookie/user id of users, which increases security.