IDOR Vulnerability
IDOR stands for Insecure Direct Object Reference. This is an access control vulnerability. This weakness occurs when an application uses user supplied input to access objects directly. This vulnerability is most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
Sep 15, 2022
Mitigation :-
- Perform regular security testing.
- Keep applications and databases up-to-date.
- Always filter and validate user inputs.
- Do enforce access control policies.
- Keep values random and non-predictable.
Example :-
Explanation :-
Here, the attacker’s document is numbered 100. But he requests the server to give document numbered 101 which is an another user’s document, and the web server fetches the document and sends it with the response to the attacker. Same situation happened with document numbered 103. Actually, the attacker should only be accessing his own documents and not other’s documents. This is an IDOR vulnerability.
