Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference (IDOR)

Risk: medium

Description

Insecure Direct Object Reference (IDOR) occurs when user input is not validated and directly accesses the requested object.

Consider for instance, a website that grants access to bank account information by bank id:

https://insecure-bank.com/bank/account?id=12345

An attacker might be able to access the information of other accounts by referencing its id.

Another manifestation of this weakness is when the id is not easily guessable, UUID, for instance, but can be leaked through other means and used to access the object:

https://insecure-bank.com/user/12/account?id=12345-abcd-12345-abcd

Recommendation

IDORs are caused by missing access controls. If the object is accessible to authenticated users only, the endpoint Implement a check to verify that the user making the request has permission to access the object.

Links

• CWE-639: Authorization Bypass Through User-Controlled Key

Standards

• OWASP_ASVS_L1:
  • V4_1_2
  • V4_2_1
• OWASP_ASVS_L2:
  • V4_1_2
  • V4_2_1
• OWASP_ASVS_L3:
  • V4_1_2
  • V4_2_1
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_7_3
  • REQ_11_3