Idors

Overview

IDOR (Insecure Direct Object References) is an access control vulnerability where an application exposes direct references to internal implementation objects (files, database records, IDs) without proper authorization checks.

Attackers exploit IDORs by manipulating parameters such as user_id, document_id, or invoice_number to access unauthorized data.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Idors:

GET /api/users/1 -> GET /api/users/2

GET /api/documents/abc123 -> GET /api/documents/abc124

POST /api/updateProfile { "user_id":1,"role":"admin" }

GET /download?file=report1.pdf -> GET /download?file=report2.pdf

Tools & Techniques

Recommended tools for Idors:

• Test sequential integer IDs for access escalation
• Test UUID/hash parameters for pattern prediction
• Check if object ownership is properly verified
• Test POST/PUT parameters for mass assignment IDORs
• Look for IDORs in URL paths, query strings, POST bodies, cookies, and headers

Prevention & Mitigation

Security recommendations to prevent Idors:

• Implement proper access control checks for every object reference
• Use indirect references maps (random tokens instead of sequential IDs)
• Verify user authorization for every object operation
• Implement ownership-based access controls
• Conduct regular security testing for authorization gaps

References

Additional resources:

• https://portswigger.net/web-security/access-control/idor
• https://owasp.org/www-community/vulnerabilities/Insecure_Direct_Object_Reference
• https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html