What if a bank customer could edit another customer’s account data? Or a student edit their grades? Or a consumer reducing the price of an item before purchase? These all sound like Hollywood hacker movie plots but all of them have occurred in the real world through the exploitation of IDOR vulnerabilities.
What is IDOR?
IDOR stands for Insecure Direct Object Reference and is a category of vulnerabilities which occur when an application’s architecture lacks access control mechanisms leading to unauthorized access to objects within the application
..?customerid=123456… What about customerid=123457?
It is common for websites to use a unique number such as a “customer ID” to retrieve information from the database. IDOR vulnerabilities occur when the application does not validate authentication and authorization through session management, allowing a hacker to easily modify the ID number in the URL and gain unauthorized access.
We have a great story about a SaaS we had to fired after on a raining afternoon we decided to fiddle with the URL.
Not a Very Random URL
There a times when applications need to share an object with an unauthenticated external user. This is typically done by creating a unique complex random string to identity an object within a URL. Think sharing files with OneDrive or gDrive. Arguably this is “security through obscurity” but if done right, it does work. However, many applications have been develop with less than random strings which hackers can easily guess through brute force attacks.
I Can Haz Escalated Privileges?
Hackers may try to elevate privileges from a low privileged user to a higher privileged user by merely referencing objects such as administrative interface through guessing the URL. While the administrative interface would normally not be available to the low privileged user, if access control mechanisms are not functioning as expected, a hacker may be able to access and execute administrative functions.
How Can You Prevent IDOR Exploitation?
Detecting IDOR vulnerabilities can be challenging as they depend on how authentication, authorization and session management properly architected, designed and implemented. Dynamic security testing also known as fuzzing can help identify IDOR vulnerabilities.
Special thanks to Mrigakshi Goel for helping author this “in 5” article.