Scribd
Upload
35 views12 pages

Insecure Direct Object Reference IDOR : Broken Access Control

The document discusses insecure direct object reference (IDOR), which is a type of access control vulnerability. It provides an overview of what IDOR is, how it can be exploited, and ways to prevent it such as enforcing access controls and using hashed values instead of numbers or strings.

Uploaded by

Raissa Pacheco Marcelino
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views12 pages

Insecure Direct Object Reference IDOR : Broken Access Control

The document discusses insecure direct object reference (IDOR), which is a type of access control vulnerability. It provides an overview of what IDOR is, how it can be exploited, and ways to prevent it such as enforcing access controls and using hashed values instead of numbers or strings.

Uploaded by

Raissa Pacheco Marcelino
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Insecure Direct Object Reference IDOR

(Broken Access Control)


IDOR (Broken Access Control)

~# whoami

• Eric Biako
Bsc. IT, CEH v9
Information security officer @ E-connecta
Moderator @ https://legalhackmen.com
IDOR (Broken Access Control)

IDOR occurs when a user supplied input is


unvalidated and direct access to the object
requested is provided.
IDOR (Broken Access Control)
IDOR (Broken Access Control)

This dwells on session management where the


user has to be authenticated and/or
authorized.
IDOR (Broken Access Control)
impact……..

• unauthorized information disclosure

• modification or destruction of data.

• performing a function outside of the limits of


the user.
IDOR (Broken Access Control)

Prevent it…..

Enforce access control policies such that


users cannot act outside of their intended
permissions
IDOR (Broken Access Control)

Prevent it…..

Use hash function and use hashed values


instead of normal numbers or strings.
IDOR (Broken Access Control)

Prevent it…..

www.example.com/user.php?id=12

www.example.com/user.php?id=ea3eda3d3w229
3
IDOR (Broken Access Control)

DEMO

BWAPP(www.itsecgames.com )
https://sourceforge.net/projects/bwapp/files/bWAPP/

OWASP WEBGOAT :
https://github.com/WebGoat/WebGoat
IDOR (Broken Access Control)

• https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-
reference-vulnerabilities-for-large-bounty-rewards/

• https://www.gracefulsecurity.com/idor-insecure-direct-object-reference/

• https://codeburst.io/hunting-insecure-direct-object-reference-
vulnerabilities-for-fun-and-profit-part-1-f338c6a52782

• https://medium.com/@woj_ciech/explaining-idor-in-almost-real-life-
scenario-in-bug-bounty-program-c214008f8378

• https://blog.detectify.com/2016/05/25/owasp-top-10-insecure-direct-
object-reference-4/

You might also like