Insecure Direct Object Reference (IDOR) – A Gaping Hole

Insecure Direct Object Reference (IDOR) – A Gaping Hole This is an aerial shot of sheep leaving a grazing field in complete accord through a narrow gate while it looks like there isn’t even a fence in the first place (or perhaps a frail one that would not hold for long). The sheep are conditioned to think that the narrow gate is their only way out and each of them can only leave the field by passing through it. This is a fascinating phenomenon that goes to show how easily the individual can be trained to fall in with the herd. Now if you were to assume that the users of your application, like these sheep, will always follow rules, things can go very wrong. It would be no overstatement to say that this assumption is the root cause of most errors in the ‘authentication-authorization-session management’ triad of web and mobile applications everywhere. Particularly, in the case of the highly potent but often overlooked IDOR vulnerability. Given the chance, a snoopy user can be expected to ‘explore’ and poke around for hidden treasures. Insecure Direct Object References occur when the reference to an internal object is exposed without proper access control checks in a way that would allow a malicious user to access restricted objects. Commonly exploited by even amateur hackers, the IDOR flaw can be leveraged to access, modify or destroy database and file entries, widely impacting the privacy and availability of application data and user data. The vulnerability stems from improper input validation with the intent to administer access control i.e. to verify that the user requesting access to an object is permitted to view it. “Anticipating deviation is essential in forestalling unauthorized access. Assume that all input has potential to be malicious.”