6 - Intro to IDOR

# Intro - `Insecure Direct Object References (IDOR)` vulnerabilities are among the most common web vulnerabilities and can significantly impact the vulnerable web application. - IDOR vulns occur when a web app exposes a direct reference to an object, like a file or a database resource, which the end-user can directly control to obtain access to other similar objects - If any user can access any resource due to the lack of a solid access control system, the system is considered to be vulnerable - For example, if users request access to a file they recently uploaded, they may get a link to it such as (`download.php?file_id=123`) - So, as the link directly references the file with (`file_id=123`), what would happen if we tried to access another file (which may not belong to us) with (`download.php?file_id=124`)? - If the web application does not have a proper access control system on the back-end, we may be able to access any file by sending a request with its `file_id` # Why is IDOR a Vuln? - Exposing a direct reference to an internal object or resource is not a vulnerability in itself, but this may make it possible to exploit another vulnerability: a `weak access control system` - RBAC may solve this problem # Impact of IDOR - A basic example of an IDOR vulnerability is accessing private files and resources of other users that should not be accessible to us, like personal files or credit card data, which is known as `IDOR Information Disclosure Vulnerabilities` - Depending on the nature of the exposed direct reference, the vulnerability may even allow the modification or deletion of other users' data, which may lead to a complete account takeover - Once an attacker identifies the direct references, which may be database IDs or URL parameters, they can start testing specific patterns to see whether they can gain access to any data and may eventually understand how to extract or modify data for any arbitrary user - IDOR vulns may also lead to the elevation of user privileges from a standard user to an administrator user, with `IDOR Insecure Function Calls` - For example, many web apps expose URL parameters or APIs for admin-only functions in the front-end code of the web application and disable these functions for non-admin users