Insecure Direct Object Reference (IDOR):
A serious data leak was narrowly avoided after the Indian government fixed a major security flaw known as an IDOR, or “insecure direct object reference,” in its income tax e-filing portal.
- It is a web application security vulnerability that occurs when an application exposes internal object identifiers, such as database keys or file paths, to users without proper access controls.
- It can enable attackers to manipulate these identifiers and gain unauthorized access to sensitive data or perform unauthorized actions on the system.
- IDOR vulnerabilities arise due to inadequate validation and authorization checks on user-supplied input, which may allow malicious users to bypass intended access restrictions.
- Websites often want to serve different content to different users: for example, a shopping website might let each user view their purchase history.
- Websites can identify users by authenticating them, using a method such as a password or a passkey.
- Often, once a website has authenticated a user, they will set a session cookie in that user’s browser: then, when the user makes a request, the server will know that the request came from this authenticated user.
- However, as well as checking that the request came from an authenticated user, the server must implement access control for the resources that the user requests: that is, they must check that this user is allowed to access the specific resource requested.
- For example, each authenticated user must only be allowed to see their own purchase history.
- If a server does not implement access control for resources, then an attacker who is signed into the site may be able to access the resources belonging to a different user.
- This is called an Insecure Direct Object Reference (IDOR) attack.
