Insecure Direct Object Reference (IDOR) is a vulnerability caused by the absence or improper use of an authorization mechanism. It allows one person to access an object that belongs to another.
IDOR, or "Broken Access Control", is the number one web application vulnerability listed in the 2021 OWASP.
IDOR is not a vulnerability caused by poor sanitation like other web application-based vulnerabilities. The attacker manipulates the parameters sent to the web application, gains access to an object that doesn't belong to him, and is then able to read, modify, or delete the contents.
Here’s an example to better understand how the IDOR vulnerability is exploited.
Imagine a simple web application. It retrieves the “id” variable from the user and then displays data that belongs to the user who made the request.
URL: **https://letsdefend.io/get\\\\_user\\\\_information?id=1**
When a request like the one above is made in our web application, it displays the information of the user with an id value of 1.
If I am the user who made the request and my ID value is 1, everything will work normally. When I make the request, I see my personal information.
But what happens if we make a request with 2 as the “id” parameter? Or 3?
If the web application does not check that the "id" value in the request belongs to the person making the request, then anyone can make that request and see the user's information. This web vulnerability is called IDOR.
Attackers can access items that do not belong to them by changing parameters such as the "id". The type of information they can access may vary depending on the web application, but either way, you wouldn't want anyone to access your personal information, so this is very critical.
What an attacker can do is limited by the scope of an IDOR vulnerability. However, the most common areas are usually pages where a user's information is received. If an attacker were to exploit an IDOR vulnerability, they could: