πŸ”“ IDOR - Insecure Direct Object Reference

Understand how broken object-level authorization exposes sensitive data and actions

What is IDOR?

IDOR (Insecure Direct Object Reference) is a type of access control vulnerability that occurs when an application exposes internal objects (like files, records, or database entries) through user-supplied input without proper authorization checks.

It allows attackers to manipulate IDs in the URL or request body to access data or perform unauthorized actions belonging to other users.

πŸ“‚ Common IDOR Scenarios

1. URL-based IDOR

User A accesses /invoice/1234. If changing the ID to /invoice/1235 shows another user's invoice, it's vulnerable.

2. POST Body Manipulation

Modifying JSON request bodies to change "user_id":123 to "user_id":124 may grant unauthorized access.

3. File Download/Upload IDs

Guessable file IDs like /download/file?id=567 can leak private documents if not checked against user permissions.

🧠 How to Identify and Exploit IDOR

Step 1: Observe URLs and Requests

Look for numeric or sequential IDs in URLs, cookies, headers, or request bodies.

Step 2: Modify the ID

Increment or guess another user's ID (e.g., change user_id=101 to user_id=102).

Step 3: Analyze the Response

If you receive unauthorized data (e.g., someone else's profile or document), the application is likely vulnerable.

Step 4: Confirm Authorization Failure

Ensure there's no access control logic (session checks, role checks, etc.) being enforced.

🌐 Real-World Example

Request made by a logged-in user to access their own profile:

GET /api/user/2345 HTTP/1.1
Host: vulnerable.site
Authorization: Bearer eyJhbGciOi...

Attacker changes the ID:

GET /api/user/2346 HTTP/1.1
Host: vulnerable.site
Authorization: Bearer eyJhbGciOi...

If the server responds with another user's data without verifying ownership of ID 2346, it confirms IDOR.

πŸ›‘οΈ How to Prevent IDOR

πŸ’‘ Practical Tips for Pentesters

πŸ“š Recommended Tools & References