Real-World Bug Hunting

16INSECURE DIRECT OBJECT REFERENCES

An insecure direct object reference (IDOR) vulnerability occurs when an attacker can access or modify a reference to an object, such as a file, database record, account, and so on, that should be inaccessible to them. For example, let’s say the website www.<example>.com has private user profiles that should be accessible only to the profile owner through the URL www.<example>.com/user?id=1. The id parameter would determine which profile you’re viewing. If you can access someone else’s profile by changing the id parameter to 2, that would be an IDOR vulnerability.

Finding Simple IDORs

Some IDOR vulnerabilities ...

Get Real-World Bug Hunting now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Real-World Bug Hunting by Peter Yaworski

16INSECURE DIRECT OBJECT REFERENCES

Finding Simple IDORs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly