What is IDOR (Insecure Direct Object References) Vulnerability and How to Avoid it?
It is common in web applications and attackers can access the system. infiltrate one of the vulnerabilities used for IDOR (Insecure Direct Object Reference) It is one of the security vulnerabilities that can be taken quickly.
What is IDOR Vulnerability?
When a website is visited, the applications in its content are accessed through objects. These objects; It is also used to describe important situations such as accessing database, files and directories. Attackers can imitate or manipulate object values owned by another user. In this way, they obtain the identity information of the targeted person on the application.
This attack method is defined as IDOR (Insecure Direct Object References). Turkish equivalent of IDOR vulnerability "Orientation to Unsafe ObjectsIt can also be translated as '. IDOR vulnerability ranked 4th in the Top 10 most common vulnerabilities list, first announced by OWASP in 2013. In the statement in 2017, it found its place in the A5 category and has taken its place in the Broken Access Control vulnerability type and is a security vulnerability that is frequently tested within the scope of penetration testing studies.
What Are the Effects of IDOR Vulnerability?
The IDOR (Insecure Direct Object References) vulnerability can have huge implications. Since the attackers can control the account they have taken over, they can obtain all the information on the account. In addition, since the IDOR vulnerability will make it possible to bypass the authentication, it will also make it possible to log into a more authorized account. The attacker, who gains access to the authorized account, can also activate other types of vulnerabilities detected in the system, causing a chain of vulnerabilities. This method is also used by the experts during the penetration test studies within the authorization phases.
IDOR Vulnerability Example
https://zararlidomain.com/parola_degistirme.php?hesap=451
A url is specified above as an example. In this url, some metric values can also be seen when changing the password of the harmfullidomain.com user. The attacker who noticed this url 451 the one which... bill can make changes with the metric value. bill By making numerical manipulations with the metric value found as a metric, other userid users can change their password.
https://zarardomain.com/kullanicilar/451
There is a similar situation in another example mentioned above. attackers, users can change the numeric metrics in the directory that identify users. Thus, it can gain unauthorized access by accessing metric values belonging to other users.
Solution Suggestions: How to Fix IDOR Vulnerability?
Access controls should be tightened to close the IDOR vulnerability or mitigate its impact. The frameworks used while developing the web application infrastructure should be up-to-date and well-known. Thus, it will be possible to take quick action in case of fixing the IDOR vulnerabilities. This is the method that plays the most effective role in preventing IDOR vulnerability.
During access to objects, data exchange should be done in encrypted form with hash. Decryption of this hash or user token information should be supported by strong encryption algorithms. In addition, software developers should be careful about viewing important objects by the user.
IDOR with a similar vulnerability Cross Site Request Forgery (CSRF) Our article about the vulnerability may be of interest to you.