What is IDOR?
Insecure Direct Object Reference (IDOR) occurs when an application provides direct access to objects based on user-supplied input without proper authorization checks.
1. IDOR Impact Severity:
- Unauthorized data access (PII, financial records, etc.)
- Data modification or deletion
- Account takeover
- Privilege escalation
- Compliance violations
Red Team Techniques (Offensive)
1. Basic IDOR
Basic Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application exposes a direct reference to an internal object, such as a file, database record, or user account, without enforcing proper authorization checks. Attackers can manipulate these references to access or modify data they shouldn’t be able to.
Example URL Manipulation:
GET /documents/1001
// Attacker changes URL to access another user's document:
GET /documents/1002
By modifying the document ID, the attacker can access unauthorized content.
Common Attack Vectors:
- Predictable or sequential object IDs
- Insufficient authorization checks on object access
- Direct references exposed in URLs, forms, or APIs
Mitigation Techniques:
- Implement strict authorization checks on every object access
- Use indirect references or mapping (e.g., UUIDs, tokens)
- Avoid predictable IDs and enforce access control by user role
2. Horizontal IDOR
Horizontal IDOR occurs when a user is able to access or manipulate data belonging to another user with the same privilege level by modifying object references like user IDs. This allows attackers to bypass authorization by impersonating peers.
Example Scenario:
GET /profile/view?user_id=1001
// Attacker changes user_id to view another user's profile:
GET /profile/view?user_id=1002
By changing the user ID parameter, the attacker accesses another user’s private information.
Common Indicators:
- URLs or APIs exposing user-identifiers in parameters
- Lack of verification that the requested resource belongs to the authenticated user
- Similar privilege levels for both attacker and victim accounts
Prevention Measures:
- Always verify resource ownership before granting access
- Use session-based identity checks rather than user-supplied parameters
- Implement role-based access controls (RBAC) to restrict data visibility
3. Vertical IDOR
Vertical IDOR happens when a lower-privileged user gains access to resources or functionality meant only for higher-privileged roles (e.g., admin-only pages or actions) by manipulating direct object references without proper authorization checks.
Example Scenario:
POST /admin/deleteUser
{
"userId": 123
} // submitted by a regular userA non-admin user is able to perform an admin-only action by directly calling privileged endpoints.
Common Indicators:
- Privileged functions accessible without role checks
- Endpoints accepting object references without verifying user privilege
- Role escalation possible by changing IDs or parameters
Mitigation Techniques:
- Enforce strict role-based access control (RBAC) on all endpoints
- Validate user privileges before processing sensitive requests
- Use separate APIs or endpoints for admin-level functions
- Audit logs and alerts on privilege escalation attempts
4. Indirect IDOR
Indirect IDOR occurs when applications use indirect references—like tokens, hashes, or UUIDs—instead of direct object IDs, but these references are predictable, guessable, or insufficiently protected, allowing attackers to bypass authorization controls.
Example Scenario:
GET /files/download?token=abc123def456
// Attacker guesses or enumerates tokens:
GET /files/download?token=abc123def457
Although the app uses tokens to obscure real IDs, predictable tokens can still be exploited to access unauthorized resources.
Common Signs:
- Use of opaque or indirect references without proper validation
- Weak or guessable token generation schemes
- Lack of authorization checks tied to the actual user or session
Prevention Strategies:
- Use strong, cryptographically secure random tokens
- Validate authorization on every request regardless of token
- Implement token expiration and revocation mechanisms
- Consider user-specific tokens or session binding
5. Mass Assignment
Mass Assignment vulnerabilities occur when an application blindly binds user-controlled input (such as JSON or form data) to internal objects without filtering or validating which fields can be modified. This allows attackers to overwrite sensitive or protected properties, like roles or permissions.
Example Exploit:
PATCH /user/profile
{
"username": "attacker",
"role": "admin" // unauthorized field modification
}The attacker modifies the user role by including protected fields in the request payload that the backend mistakenly trusts.
Common Causes:
- Automatic binding of all request parameters to model objects
- Lack of input validation or whitelist filtering
- Exposing sensitive fields to client input unintentionally
Mitigation Techniques:
- Whitelist allowed fields for binding explicitly
- Use dedicated DTOs (Data Transfer Objects) or input models
- Implement strict server-side validation and authorization
- Avoid exposing sensitive fields in client-side forms or APIs
IDOR Tools & Automation
Discovery & Scanning
- Burp Suite (with active scanning and parameter manipulation)
- OWASP ZAP (automated scanning with custom IDOR detection rules)
- ffuf and wfuzz (for brute forcing object IDs and endpoints)
Exploitation & Payload Generation
- Burp Intruder (custom payloads to test object reference enumeration)
- Param Miner (detects hidden parameters and IDOR vectors)
- Custom scripts for mass assignment and role escalation payloads
Post-Exploitation & Analysis
- Burp Collaborator (to detect OOB data leaks)
- Manual access pattern analysis and response comparison
- Logging tools (Splunk, ELK) to monitor unauthorized access attempts
Blue Team Defenses (Defensive)
1. Secure Access Control
Authorization Checks
// Node.js example
function getDocument(req, res) {
const docId = req.params.id;
const doc = db.getDocument(docId);
// Verify ownership
if (doc.owner !== req.user.id) {
return res.status(403).send('Forbidden');
}
res.json(doc);
}Role-Based Access
# Python Django example
@permission_required('app.view_sensitive_data')
def view_data(request, data_id):
data = get_object_or_404(Data, pk=data_id)
return render(request, 'data.html', {'data': data})2. Indirect References
UUID Implementation
// Java example
public String generateSecureReference() {
return UUID.randomUUID().toString();
}Mapping Tables
# Database schema
CREATE TABLE document_access (
public_id VARCHAR(36) PRIMARY KEY,
internal_id INT NOT NULL,
user_id INT NOT NULL
);3. Monitoring & Detection
Anomaly Detection
- Unusual access patterns
- Multiple failed authorization checks
- Rapid sequential ID access
WAF Rules
- Block suspicious parameter patterns
- Rate limit sensitive endpoints
- Detect mass enumeration attempts
4. Secure Development
Framework Features
- Djangos permission_required
- Spring Security annotations
- Ruby on Rails Pundit
Code Review
- Static analysis tools
- Manual authorization checks
- Peer review sessions
5. Defense in Depth
Database Layer
- Row-level security
- View-based access
- Stored procedures
Application Layer
- Middleware authorization
- DTO validation
- Input sanitization
Presentation Layer
- Token-based references
- Obfuscated identifiers
- Limited data exposure
IDOR Mitigation Checklist
- Implement proper authorization checks for all object accesses
- Use indirect references (UUIDs, mapping tables)
- Apply principle of least privilege
- Log and monitor access to sensitive objects
- Conduct regular security audits and code reviews
- Implement rate limiting on sensitive endpoints
- Use framework-provided security features
- Educate developers about IDOR risks
Additional Resources & References