Insecure direct object references
(also Object Reference Vulnerability)
Insecure direct object references definition
Insecure direct object reference is a security flaw or vulnerability in web applications. The direct object reference is a web application design method where entity names identify application-controlled resources that travel through URLs or request parameters. Usually, attackers manipulate the entity name with a different value without the user’s consent. That way, users can be redirected to malicious pages or links without knowing. Objectively, IDOR carries security threats and can be a comfortable environment for hackers to access unauthorized information.
See also: insecure deserialization, vulnerability
Common IDOR applications
Confidential data and files: Specific applications manage confidential data, such as various contracts and invoices. This personal information is susceptible to IDOR vulnerabilities. This allows attackers to guess or iterate through object references and access vulnerable information not authorized to view.
Personal user profile information: In web or social media applications, an IDOR vulnerability can allow attackers to modify users’ profile information by overcoming and manipulating the direct object reference in the URL.
Transaction details: In various E-commerce applications and financial platforms, IDOR vulnerabilities carry considerable risk and could allow hackers to view or even manipulate order details and payment information.
Message and notification access: Messaging and notification systems in web applications could carry IDOR vulnerabilities. This leaves the possibility for attackers to gain access to users’ messages and notifications.
File downloads and uploads: IDOR vulnerabilities can be exploited in applications that allow file uploads and downloads. By changing the object references in download URLs, attackers can access the information they shouldn’t have access to.