Insecure Direct Object References (IDOR)

High

Description

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application provides direct access to objects based on user-supplied input. This can occur when a web application or API uses an identifier for direct access to an object in an internal database but does not check for any type of access control or authentication.

Attack Scenario

An attacker can bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.

Mitigation

Avoid passing user-submitted input to any filesystem /framework API.
Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.

ID: 30009

HQ Address

20 Al Mathaf Al Zerai, Agouza, Giza - Egypt
Phone: +2 02 333 638 86
Fax: +2 02 353 656 84
Email: sales@security-meter.com

Asia-Pacific Office Address

Unit 11-3A, 3RD Mile Square No.151
JLN KLANG LAMA, BATU 3 1/2
Kuala Lumpur Malaysia
Email: asia-pacific@security-meter.com

US Office

1-29A 14 Elmwood Park
New Jersey
07407 United States
Email: us@security-meter.com