Insecure Direct Object Reference

To quote the folks over at Portswigger, IDORs are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly

Basic example

Let's imagine the website we're using allows us to browse our own user profile. We notice that the url looks something like http://website/customer_profile?id=10

That very probably implies that profiles 1 to 9 do also exist. If we attempt to access http://website/customer_profile?id=1 and are allowed to do so by the application, then there is an IDOR vulnerability

Please note that some of those parameters may not always be in clear text, but may be encoded or even hashed (i.e base64 or md5).

PreviousBroken Authentication Next80/443 Web

Last updated 2 years ago

Was this helpful?