Top 10 2013-A4-Insecure Direct Object References - OWASP
Learn about Insecure Direct Object References (IDOR), a common vulnerability ranked as A4 by OWASP. Protect your systems from unauthorized access by understanding, preventing, and detecting IDOR attacks.
Overview
Insecure Direct Object References (IDOR) is a security vulnerability that occurs when an application uses a user-supplied parameter to access an object directly, without proper authorization checks. This can allow an attacker to manipulate the parameter value and gain unauthorized access to sensitive data or resources. This JSON provides an overview of IDOR, how to prevent it, and example attack scenarios.
Description
Insecure Direct Object References (IDOR) is listed as A4 in the OWASP Top 10 project. It is a common vulnerability that can lead to serious data breaches if not properly addressed. By understanding how IDOR works and implementing appropriate security measures, organizations can protect their systems from this type of attack.
How to Prevent ?
To prevent Insecure Direct Object References, it is recommended to use per user or session indirect object references. This means that instead of using a direct reference to an object, such as a database key, a mapping or reference map should be used to associate the user's selection with the actual object. Additionally, all direct object references should be checked for access control, ensuring that the user is authorized to access the requested object.
Example Attack Scenarios:
SQL Injection Attack: In one example attack scenario, an application uses unverified data in a SQL call that is accessing account information. The attacker modifies the parameter value in their browser to send a different account number, allowing them to access any user's account instead of only the intended customer's account.
Path Traversal Attack: In another example attack scenario, a path traversal vulnerability is exploited to gain unauthorized access to sensitive files or directories on a web server. This is achieved by manipulating the parameter value to traverse the file system and access restricted resources.
Unauthorized File Download: In this attack scenario, an attacker exploits an IDOR vulnerability to download files from a server that they are not authorized to access. By manipulating the parameter value to reference a different file, the attacker can bypass access controls and obtain sensitive information.