Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP
- PortSwigger/BApp Store > Authz
- PortSwigger/BApp Store > AuthMatrix
- PortSwigger/BApp Store > Autorize
IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
Example of IDOR
Imagine a web application that allows users to view their profile by clicking a link https://example.com/profile?user_id=123:
<?php
$user_id = $_GET['user_id'];
$user_info = get_user_info($user_id);
...Here, user_id=123 is a direct reference to a specific user's profile. If the application doesn't properly check that the logged-in user has the right to view the profile associated with user_id=123, an attacker could simply change the user_id parameter to view other users' profiles:
https://example.com/profile?user_id=124
Increment and decrement these values to access sensitive informations.
- Decimal value:
287789,287790,287791, ... - Hexadecimal:
0x4642d,0x4642e,0x4642f, ... - Unix epoch timestamp:
1695574808,1695575098, ...
Examples
- HackerOne - IDOR to view User Order Information - meals
- HackerOne - Delete messages via IDOR - naaash
Some identifiers can be guessed like names and emails, they might grant you access to customer data.
- Name:
john,doe,john.doe, ... - Email:
[email protected] - Base64 encoded value:
am9obi5kb2VAbWFpbC5jb20=
Examples
- UUID/GUID v1 can be predicted if you know the time they were created:
95f6e264-bb00-11ec-8833-00155d01ef00 - MongoDB Object Ids are generated in a predictable manner:
5ae9b90a2c144b9def01ec37- a 4-byte value representing the seconds since the Unix epoch
- a 3-byte machine identifier
- a 2-byte process id
- a 3-byte counter, starting with a random value
Examples
- HackerOne - IDOR allowing to read another user's token on the Social Media Ads service - a_d_a_m
- IDOR through MongoDB Object IDs Prediction
Sometimes we see websites using hashed values to generate a random user id or token, like sha1(username), md5(email), ...
- MD5:
098f6bcd4621d373cade4e832627b4f6 - SHA1:
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 - SHA2:
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
Examples
Send a wilcard instead of an ID, some backend might respond with the data of all the users.
GET /api/users/* HTTP/1.1GET /api/users/% HTTP/1.1GET /api/users/_ HTTP/1.1GET /api/users/. HTTP/1.1
Examples
- Change the HTTP request:
POST → PUT - Change the content type:
XML → JSON - Transform numerical values to arrays:
{"id":19} → {"id":[19]} - Use Parameter Pollution:
user_id=hacker_id&user_id=victim_id
- OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)
- OWASP - Insecure Direct Object Reference Prevention Cheat Sheet
- BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton
- Manipulation of ETH balance
- Viewing private Airbnb Messages
- Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018
- IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained -
- Testing for IDORs - PortSwigger
- Insecure direct object references (IDOR) - PortSwigger
- The Rise of IDOR - HackerOne - April 2nd, 2021