IDOR stands for Insecure Direct Object Reference occurring when an application displays an indication of an internal object in an unsafe manner. Whenever a user generates, sends an HTTP request, or receives a request from a server, there are parameters such as “ID”, “UID”, “PID” etc. that have certain unique values that the user has been assigned. An attacker may detect such parameter values in HTTP paths, cookies, and headers. With this, the attacker can tamper with other privileges of user data and this interference can lead to Insecure Direct Object Reference Vulnerability.
Figure 1: IDOR Flow
HTTP defines a set of request methods to indicate the desired action to be used for a given service. In simple terms “It is a method of communication between server-side and client-side”
Figure 1.1: HTTP Methods
In general, Insecure Direct Object Reference (IDOR) has three types of attack vectors:
Here we can see how Insecure Direct Object Reference (IDOR) works in the modern web application, we test PortSwigger lab for this attack.
This is the official URL: https://acc91f8f1f83a99b805b1001001c0052.web-security-academy.net to access the lab.
For solving this lab, we need to get the password of CARLOS via IDOR vulnerability.
References:
Author,
Rituraj Vishwakarma
Attack & PenTest Team
Varutra Consulting Pvt. Ltd
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…
Android penetration testing is a crucial aspect of ensuring the security of Android applications and…
In today's interconnected world, where cybersecurity is of paramount importance, password security plays a crucial…
Introduction to Web & Mobile Application Security Assessment Web and Mobile applications have become an…
View Comments
Urodzileś sie po to, by wieść nadzwyczajne życie, robić nadzwyczajne rzeczy i pomóc nadzwyczajnej liczbie ludzi. - Mike Litman