IDOR (Insecure Direct Object Reference) Comprehensive Guide

What is IDOR?

Insecure Direct Object Reference (IDOR) occurs when an application provides direct access to objects based on user-supplied input without proper authorization checks.

IDOR Impact Severity:

  • Unauthorized data access (PII, financial records, etc.)
  • Data modification or deletion
  • Account takeover
  • Privilege escalation
  • Compliance violations

Red Team Techniques (Offensive)

1. Identification Techniques

Common Parameters

user_id
account_id
order_id
document_id
file_id
transaction_id
invoice_number

Testing Methodology

  • Increment numeric IDs (1001 → 1002)
  • Try predictable patterns (INV-100 → INV-101)
  • Test UUIDs from other accounts
  • Check both GET and POST requests

2. Advanced Exploitation

Mass Data Extraction

# Automated script example
for id in {1000..2000}; do
  curl "https://example.com/api/user/$id/profile" >> data.txt
done

Chained Vulnerabilities

1. Find IDOR in profile endpoint
2. Extract API keys from profiles
3. Use keys to access admin endpoints

3. Bypass Techniques

Parameter Tampering

# Change parameter names
user_id → account_id
id → uid

# Add parameters
?user_id=1001&debug=true

HTTP Method Switching

GET /api/user/1001 → POST /api/user
GET /file?id=123 → HEAD /file/123

4. Real-World Attack Scenarios

Healthcare Data Leak

1. Find patient_id parameter
2. Increment to access other records
3. Extract sensitive medical data

E-commerce Fraud

1. Find order_id parameter
2. Modify to access other orders
3. Extract payment details

5. Tools & Automation

Discovery Tools

  • Burp Suite Scanner
  • OWASP ZAP
  • Param Miner
  • Arjun

Exploitation Tools

  • Burp Intruder
  • Postman/Insomnia
  • Custom Python scripts

Analysis Tools

  • jq for JSON processing
  • Browser developer tools
  • Network analyzers

Blue Team Defenses (Defensive)

1. Secure Access Control

Authorization Checks

// Node.js example
function getDocument(req, res) {
  const docId = req.params.id;
  const doc = db.getDocument(docId);
  
  // Verify ownership
  if (doc.owner !== req.user.id) {
    return res.status(403).send('Forbidden');
  }
  res.json(doc);
}

Role-Based Access

# Python Django example
@permission_required('app.view_sensitive_data')
def view_data(request, data_id):
    data = get_object_or_404(Data, pk=data_id)
    return render(request, 'data.html', {'data': data})

2. Indirect References

UUID Implementation

// Java example
public String generateSecureReference() {
    return UUID.randomUUID().toString();
}

Mapping Tables

# Database schema
CREATE TABLE document_access (
    public_id VARCHAR(36) PRIMARY KEY,
    internal_id INT NOT NULL,
    user_id INT NOT NULL
);

3. Monitoring & Detection

Anomaly Detection

  • Unusual access patterns
  • Multiple failed authorization checks
  • Rapid sequential ID access

WAF Rules

  • Block suspicious parameter patterns
  • Rate limit sensitive endpoints
  • Detect mass enumeration attempts

4. Secure Development

Framework Features

  • Djangos permission_required
  • Spring Security annotations
  • Ruby on Rails Pundit

Code Review

  • Static analysis tools
  • Manual authorization checks
  • Peer review sessions

5. Defense in Depth

Database Layer

  • Row-level security
  • View-based access
  • Stored procedures

Application Layer

  • Middleware authorization
  • DTO validation
  • Input sanitization

Presentation Layer

  • Token-based references
  • Obfuscated identifiers
  • Limited data exposure

Additional Resources & References

Learning Resources

Security Tools

IDOR Mitigation Checklist

  • Implement proper authorization checks for all object accesses
  • Use indirect references (UUIDs, mapping tables)
  • Apply principle of least privilege
  • Log and monitor access to sensitive objects
  • Conduct regular security audits and code reviews
  • Implement rate limiting on sensitive endpoints
  • Use framework-provided security features
  • Educate developers about IDOR risks

Legal Notice

This content is provided for educational purposes only. Never test security vulnerabilities against systems without explicit permission. Unauthorized testing may violate laws.