Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application provides direct access to objects based on user-supplied input. This can occur when a web application or API uses an identifier for direct access to an object in an internal database but does not check for any type of access control or authentication.
An attacker can bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.
- Avoid passing user-submitted input to any filesystem /framework API.
- Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
- At the code level, make it mandatory for developers to declare the access that is allowed for each resource, and deny access by default.