HOME

TheInfoList



Click Here for Items Related To - Insecure direct object reference
OR:
Insecure direct object reference on:   [Wikipedia]   [Google]   [Amazon]

Insecure direct object reference (IDOR) is a type of
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
vulnerability in digital security. This can occur when a web application or
application programming interface An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how t ...
uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request
URL A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...
sent to a web site directly uses an easily enumerated unique identifier (such as http://foo.com/doc/1234), that can provide an exploit for unintended access to all records. A directory traversal attack is considered a special case of a IDOR. The vulnerability is of such significant concern that for many years it was listed as one of the
Open Web Application Security Project The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The OWASP provides free and open ...
’s (OWASP) Top 10 vulnerabilities.


Examples

In November 2020, the firm Silent Breach identified an IDOR vulnerability with the United States Department of Defense web site and privately reported it via the DOD's Vulnerability Disclosure Program. The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first. It was reported that the Parler
social networking A social network is a social structure made up of a set of social actors (such as individuals or organizations), sets of dyadic ties, and other social interactions between actors. The social network perspective provides a set of methods for an ...
service used sequential post IDs, and that this had enabled the scraping of terabytes of data from the service in January 2021. The researcher responsible for the project has said this was inaccurate.


References

Web security exploits Hacking (computer security) {{computer-security-stub