Insecure direct object reference

Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security.[1]

This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request URL sent to a web site directly uses an easily enumerated unique identifier (such as http://foo.com/doc/1234), that can provide an exploit for unintended access to all records.

A directory traversal attack is considered a special case of a IDOR.[2]

The vulnerability is of such significant concern that for many years it was listed as one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities.[3] According to application security engineer John Jackson, "Insecure Direct Object Reference vulnerabilities are those silent, underrated bugs, yet they are not uncommon."[4]

Examples

In November 2020, the firm Silent Breach identified an IDOR vulnerability with the United States Department of Defense web site and privately reported it via the DOD's Vulnerability Disclosure Program. The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first.[4]

The use of sequentially numbered URLs for items accessible through an unauthenticated API was exploited in the mass downloading of vast quantities of posts and media files from the Parler social networking service in January 2021 as no authentication was needed to access to company's API and rate limiting was not implemented.[5]

References

"Insecure direct object references (IDOR) | Web Security Academy". portswigger.net. Retrieved 2021-01-12.
Karande, Chetan. "Securing Node Applications - 4. Insecure Direct Object References". www.oreilly.com. Retrieved 2021-01-12.
Solomon, Howard (2021-01-12). "Common development error likely led to huge Parler data theft, says expert | IT World Canada News". www.itworldcanada.com. Retrieved 2021-01-12.
Cimpanu, Catalin. "Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug". ZDNet. Retrieved 2021-01-12.
"An Absurdly Basic Bug Let Anyone Grab All of Parler's Data". Wired. ISSN 1059-1028. Retrieved 2021-01-12.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[1] "Insecure direct object references (IDOR) | Web Security Academy". portswigger.net. Retrieved 2021-01-12.

[2] Karande, Chetan. "Securing Node Applications - 4. Insecure Direct Object References". www.oreilly.com. Retrieved 2021-01-12.

[3] Solomon, Howard (2021-01-12). "Common development error likely led to huge Parler data theft, says expert | IT World Canada News". www.itworldcanada.com. Retrieved 2021-01-12.

[:0-4] Cimpanu, Catalin. "Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug". ZDNet. Retrieved 2021-01-12.

[5] "An Absurdly Basic Bug Let Anyone Grab All of Parler's Data". Wired. ISSN 1059-1028. Retrieved 2021-01-12.