INSECURE DIRECT OBJECT REFERENCE (IDOR):
Insecure Direct Object Reference (or IDOR) is the seventh (merged with Cross-Site Scripting) on Open Web Application Security Project (OWASP) top 10 vulnerabilities. In this type of vulnerability, the web application grants the user unauthorized access to the user, based on some input that was valid to grant him access to only those objects that he was allowed to view and/or modify. This bug is a type of Parameter Tampering.
How does it work?
credentials and you are authorized to view and modify only the data that has been allowed for you to access. You are assigned a parameter that is your identity for that session that keeps you logged in to your account. Now, if, still being logged in, you change that parametric value in the URL and if you get directed to another person’s data, then this means there is an IDOR vulnerability present in the web application. Or in some cases, you do not want to use IDOR for traversing into the database, you logged in to an online shopping website and you bought some products. Now, if an IDOR bug is present you can tamper with the price and trick the web application and the owner of the online store into thinking that the product is actually very cheap or there is a glitch at their end.
How to find an IDOR Vulnerability?
In web applications there are many variables (or parameters) such as ‘pid’, ‘id’, ‘uid’ etc. with a unique value against each, for a unique user. If you change the values of these parameters, and you get directed to another user’s data, or changing the parameters change the behavior of the application, then the IDOR bug is present, and it can be exploited, and used against the web application and the database as the attacker might want.
How to prevent IDOR?
It is very important to prevent IDOR, firstly, because the attacker can easily access other users’ data and can manipulate it, however he likes; and secondly, in case of an online shopping store, the attacker can tamper with the price. So how to prevent this vulnerability? First method is to set up Access Controls at multiple points in the web application’s source code and the database. For example, the web application should check at multiple points whether the user is authorized to perform a certain action or not. Second method is Input Validation. The web application should restrict the user from entering any malicious input. The validation check has to be on the server-side because the client-side cannot guarantee malicious input to be avoided.