Description
IDOR occurs when an application provides direct access to objects based on user input without proper authorization checks. This vulnerability allows attackers to manipulate object identifiers to access sensitive information or perform unauthorized operations. For example, changing a user ID in a URL parameter might grant access to another user’s account details.
Recommendation
To mitigate IDOR vulnerabilities, implement access control mechanisms that validate user permissions before granting access to resources. Use indirect references (e.g., tokens) instead of exposing direct object references in URLs or other inputs. Ensure that sensitive endpoints enforce proper authorization policies.
References
- OWASP: Insecure Direct Object Reference (IDOR)
- OWASP Top Ten 2021 - Broken Access Control
- CWE-639
- CAPEC-180
- OWASP 2021-A1