Member-only story
All About IDOR Attacks
How attackers use Insecure Direct Object References to access data illegally
Have you ever wondered how data breaches happen?
Nowadays, it seems like a new company is breached every five minutes. But how exactly do these breaches happen? How do hackers get their hands on sensitive data? In this article, we’ll talk about a simple yet very impactful vulnerability that attackers often use to gain access to confidential data: IDOR.
What Is IDOR?
IDOR stands for “Insecure Direct Object Reference.” Despite the long and intimidating name, IDOR is actually a straightforward vulnerability to understand. Essentially, IDOR is missing access control.
Let’s say example.com is a social media site that allows you to chat with other users. And when you signed up, you noticed that your user ID on the website is 1234. This website has a page that allows you to view all your messages with your friends. When you click on the “View Your Messages” button located on the homepage, you get redirected to this URL, where you can see all your chat messages with your friends on the website:
https://example.com/messages?user_id=1234Now, what if you change the URL in the URL bar to this one?
https://example.com/messages?user_id=1233You notice that you can now see all the private messages between another user, user 1233, and all their friends. What just happened? At this point, you have found an IDOR vulnerability.
You were able to see the messages of user 1233 because there is no identity check in place before the server returns the private info of users. The server was not verifying that you were, in fact, user 1233, or if you are an imposter. It simply returned the information, as you asked.
IDORs happen when access control is not properly implemented and when the references to data objects (like a file or a database entry) are predictable. In this case, it was easy to infer that you can retrieve the messages for users 1232 and user…
