Jump to content

Insecure direct object reference

Edit links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 94.110.104.104 (talk) at 16:29, 14 August 2023. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security.[1]

This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request URL sent to a web site directly uses an easily enumerated unique identifier (such as http://foo.com/doc/1234), that can provide an exploit for unintended access to all records.

A directory traversal attack is considered a special case of a IDOR.[2]

The vulnerability is of such significant concern that for many years it was listed as one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities.[3]

Examples

In November 2020, the firm Silent Breach identified an IDOR vulnerability with the United States Department of Defense web site and privately reported it via the DOD's Vulnerability Disclosure Program. The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first.[4]

It was reported that the Parler social networking service used sequential post IDs, and that this had enabled the scraping of terabytes of data from the service in January 2021. The researcher responsible for the project has said this was inaccurate.[5][6]

References

  1. ^ "Insecure direct object references (IDOR) | Web Security Academy". portswigger.net. Retrieved 2021-01-12.
  2. ^ Karande, Chetan. "Securing Node Applications - 4. Insecure Direct Object References". www.oreilly.com. Retrieved 2021-01-12.{{cite web}}: CS1 maint: url-status (link)
  3. ^ Solomon, Howard (2021-01-12). "Common development error likely led to huge Parler data theft, says expert | IT World Canada News". www.itworldcanada.com. Retrieved 2021-01-12.
  4. ^ Cimpanu, Catalin. "Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug". ZDNet. Retrieved 2021-01-12.
  5. ^ Greenberg, Andy (January 12, 2021). "An Absurdly Basic Bug Let Anyone Grab All of Parler's Data". Wired. Archived from the original on January 12, 2021. Retrieved January 12, 2021.
  6. ^ @donk_enby (January 30, 2021). "also a lot of the news coverage claimed the post IDs were sequential. they were not, but: https://github.com/d0nk/parler-tricks/blob/main/parler/conversion.py#L22 (this endpoint only existed in their iOS app and afaik wasn't actually used for anything)" (Tweet). Archived from the original on February 12, 2021. Retrieved February 12, 2021 – via Twitter. {{cite web}}: |archive-date= / |archive-url= timestamp mismatch; January 30, 2021 suggested (help)


Stub icon

This computer security article is a stub. You can help Wikipedia by expanding it.


Added with the help of ChatGpt-3

An Insecure Direct Object Reference (IDOR) is a security vulnerability that occurs when an application allows a user to manipulate or access sensitive resources or objects directly, bypassing any authorization or authentication mechanisms. In simpler terms, it's a flaw that occurs when an application fails to properly validate and control user access to its internal resources.

Here's a breakdown of how this vulnerability works: 

   Resources/Object References: In many applications, there are internal resources or objects that users should not have direct access to, such as private documents, user profiles, financial records, or any other sensitive data.

   Lack of Proper Authorization: Properly designed applications implement access controls to ensure that users can only access the resources they are authorized to access. This involves using authentication to verify the user's identity and then authorization to determine what actions or resources they are allowed to interact with.

   Exploiting the Vulnerability: In an IDOR vulnerability, an attacker finds a way to manipulate the application's input parameters or URLs to directly access resources they shouldn't have access to. This can be done by modifying parameters, such as changing an ID number in a URL, to reference another user's data.

   Bypassing Access Controls: Since the application is not properly validating the user's authorization, the attacker can bypass the intended access controls and retrieve or modify sensitive information belonging to other users.

For example, consider an online bookstore application. Each user has a unique ID associated with their account. The application uses this ID to fetch a user's order history. If the application doesn't properly validate the user's identity and simply relies on the ID provided in the URL, an attacker could change the ID in the URL to access another user's order history.

To prevent IDOR vulnerabilities, developers should follow secure coding practices: 

   Implement proper authorization mechanisms to ensure that users can only access the resources they are allowed to.
   Avoid exposing sensitive data or object references directly in URLs or input parameters.
   Validate user input and ensure that users can only access resources they have explicit permission for.
   Implement access controls at both the front-end and back-end levels.
   Use randomized or encrypted identifiers rather than sequential or easily guessable ones.

Regular security testing, code reviews, and vulnerability assessments can help identify and address IDOR vulnerabilities before they are exploited by malicious actors.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Insecure_direct_object_reference&oldid=1170363080"