Insecure direct object reference
{{short description|Type of access control vulnerability in digital security}}
Insecure direct object reference (IDOR) is a type of access control vulnerability in digital security.{{Cite web|title=Insecure direct object references (IDOR) {{!}} Web Security Academy|url=https://portswigger.net/web-security/access-control/idor|access-date=2021-01-12|website=portswigger.net}}
This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. For example, if the request URL sent to a web site directly uses an easily enumerated unique identifier (such as
A directory traversal attack is considered a special case of an IDOR.{{Cite web|last=Karande|first=Chetan|date=|title=Securing Node Applications - 4. Insecure Direct Object References|url=https://www.oreilly.com/library/view/securing-node-applications/9781491982426/ch04.html|access-date=2021-01-12|website=www.oreilly.com|language=en}}
The vulnerability is of such significant concern that for many years it was listed as one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities.{{Cite web|last=Solomon|first=Howard|date=2021-01-12|title=Common development error likely led to huge Parler data theft, says expert {{!}} IT World Canada News|url=https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646,%20https://www.itworldcanada.com/article/common-development-error-likely-led-to-huge-parler-data-theft-says-expert/440646|access-date=2021-01-12|website=www.itworldcanada.com|language=en-US}}{{Dead link|date=August 2023 |bot=InternetArchiveBot |fix-attempted=yes }}
You can change consecutive IDs into Dark Keys using several techniques.{{Cite web |last=Contieri |first=Maximiliano |date=2025-05-17 |title=Refactoring 028 - Replace Consecutive IDs with Dark Keys |url=https://maxicontieri.substack.com/p/refactoring-028-replace-consecutive |access-date=2025-05-17 |website=Clean Code Cookbook}}
Examples
In November 2020, the firm Silent Breach identified an IDOR vulnerability with the United States Department of Defense web site and privately reported it via the DOD's Vulnerability Disclosure Program. The bug was fixed by adding a user session mechanism to the account system, which would require authenticating on the site first.{{Cite web|last=Cimpanu|first=Catalin|title=Bug hunter wins 'Researcher of the Month' award for DOD account takeover bug|url=https://www.zdnet.com/article/bug-hunter-wins-researcher-of-the-month-award-for-dod-account-takeover-bug/|access-date=2021-01-12|website=ZDNet|language=en}}
It was reported that the Parler social networking service used sequential post IDs, and that this had enabled the scraping of terabytes of data from the service in January 2021. The researcher responsible for the project has said this was inaccurate.{{cite magazine |last1=Greenberg |first1=Andy |title=An Absurdly Basic Bug Let Anyone Grab All of Parler's Data |url=https://www.wired.com/story/parler-hack-data-public-posts-images-video/ |access-date=January 12, 2021 |magazine=Wired |date=January 12, 2021 |archive-date=January 12, 2021 |archive-url=https://web.archive.org/web/20210112164535/https://www.wired.com/story/parler-hack-data-public-posts-images-video/ |url-status=live }}{{Cite tweet|number=1355640041155031040|user=donk_enby|title=also a lot of the news coverage claimed the post IDs were sequential. they were not, but: https://github.com/d0nk/parler-tricks/blob/main/parler/conversion.py#L22 (this endpoint only existed in their iOS app and afaik wasn't actually used for anything)|author=|date=January 30, 2021|archive-url=https://web.archive.org/web/20210130221238/https://twitter.com/donk_enby/status/1355640041155031040|access-date=February 12, 2021|archive-date=January 30, 2021|url-status=live}}
References
{{reflist}}
Category:Web security exploits
Category:Hacking (computer security)
{{computer-security-stub}}