What is IDOR? OWASP Broken Access Control

Introduction

In this article I will briefly introduce a concept of IDOR vulnerability and its impact. I will also show a simple example of taking advantage of an unsecure fake website.

IDOR – overview

IDOR or Insecure Direct Object Reference refers to an access control weakness in web applications. It is an important concept as it is listed on Open Web Application Security Project (OWASP) Top 10 Vulnerabilities.

It occurs when a web application exposes an identifier that points to a specific object on a web server. By object, I mean a file or user account attributes e.g. user id. That is an unwanted scenario since web application fails to validate if the logged-in user should have access to the requested object. This allows attackers to bypass authorization and gain unauthorized access to user accounts, databases or admin functionalities.

More info:
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Insecure direct object reference – Wikipedia

Example of IDOR weakness

In the example below we have a login panel from an unsecure fake website. I will first log into guest account and then observe how the URL changes. After the website redirected us to the guest’s dashboard, we can see changed URL with a parameter ‘user=guest‘. To take advantage of IDOR I will change user parameter to ‘admin’.

This video was made thanks to CTF from tryhackme.com

As we can see on the video, I was able to access admin dashboard without admin credenctials.

karoltaikhoado.blog

What is IDOR? OWASP Broken Access Control

Introduction

IDOR – overview

Example of IDOR weakness

More posts

Tryhackme Friday Overtime challenge write-up

What is IDOR? OWASP Broken Access Control

What is digital SSL certificate for a website?

How does Bachelor thesis defense look like?