Jump to content

Insecure direct object reference

Edit links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Fuzheado (talk | contribs) at 20:03, 12 January 2021 (start). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Insecure direct object reference or IDOR is a type of access control vulnerability in digital security.Cite error: There are <ref> tags on this page without content in them (see the help page).

This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request URL sent to a web site directly uses a unique identifier, that can be an exploit for unintended access to all records. 

http://foo.com/doc/1234

The vulnerability is of such significant concern that for many years it was listed as one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities.[1] According to application security engineer John Jackson, "Insecure Direct Object Reference vulnerabilities are those silent, underrated bugs, yet they are not uncommon."[2]

Exploits

This type of exploit was identified in the mass downloading of vast quantities of posts and media files from the Parler social networking service in January 2021 as no authentication was needed to access to company's API and there was no rate limiting implemented.[3]

In November 2020, the firm Silent Breach identified an IDOR vulnerability with the United States Department of Defense web site and privately reported it via the DOD's Vulnerability Disclosure Program. The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first.

References

  1. ^ https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646
  2. ^ https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/
  3. ^ https://www.wired.com/story/parler-hack-data-public-posts-images-video/

This article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Insecure_direct_object_reference&oldid=999953791"