Insecure Direct Object Reference (IDOR)

An IDOR (Insecure Direct Object Reference) vulnerability is a type of security flaw that occurs when an application uses user-supplied input to access or manipulate data objects, such as files or database records, without properly validating and authorizing the user's request. This can allow an attacker to bypass access controls and gain unauthorized access to sensitive information or resources by manipulating the direct object reference (e.g., changing a numeric ID in a URL to access another user's data).

Another name for IDOR vulnerabilities is Broken Object Level Authentication (BOLA).

Burp Suite Regex

Use the following regex in Burp Suite to filter out potential parameters which may be vulnerable to IDOR.

(?i)\b\w*id\b(?!\w)\s*=\s*("[^"]*"|'[^']*'|[^&\s}]*)

Notes

It should be noted that even if the vulnerable parameters are difficult to guess, it is still a valid IDOR vulnerability. The essence of an IDOR vulnerability is that it allows an attacker to manipulate object references directly, without proper authorization. While it may be more challenging for an attacker to exploit the vulnerability if the parameter values are hard to guess, it is still a security weakness that could potentially be exploited.

Resources

This is one of the best IDOR walkthroughs I've ever watched. Z-winK does an excellent job covering different types of IDOR, providing examples, and showing how you can hunt these vulnerabilities in the wild yourself.

PreviousInformation Disclosure NextInjection Vulnerabilities

Last updated 1 year ago