IDOR Vulnerability Explained | OWASP TOP 10 2021 : Broken Access Control


A Direct Object Reference is a web application design method in which entity names are used to identify application-controlled resources that are passed in URLs or request parameters. So IDOR or Insecure Direct Object Reference vulnerability occurs when a application exposes a reference to an internal implementation object, which reveals the real identifier used to access the elements on backend site. IDOR arises due to weak access control implementation, which could lead to access to sensitive private data, files, sensitive functions etc.

For example suppose there is a website which allows to users to setup profile like linkedin and share info about users, and logged user can get the all private details of their own account using below api

Now if a malicious user temper the uid parameter by changing it to 1201 and get access to another user private details then in this case the application is vulnerable to IDOR (with horizontal privilege escalation), and by increasing / decreasing the uid values attacker can access all users private details.

Now lets see some example of Broken access control on the test lab environment. To setup your lab look at our previous blog posts [How to Setup Web Application Security Testing Environment].

Impact of IDOR

The impact of IDOR vulnerability depends on the affected application functionality. IDOR can introduce risks of CIA (Confidentiality, Integrity, Availability) for data. For example exposing personal data, editing or adding data even account takeover. For more details read intigriti article.

IDOR Example

IDOR example from XVWA

In the IDOR page there are only 5 items are accessible through drop down menu

but, by incrementing the item parameter on url we can access the more items which is not listed on the drop down list.

Remediation of IDOR

IDOR vulnerability can be remediate by properly implementing access control on every functionality to see if the user is authenticated or not to access that that functionality or application.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.