Insecure direct object references (IDOR)

Insecure direct object references (IDOR) is a vulnerability that occurs when an attacker can access or modify objects through manipulation. The vulnerability is exploited due to a lack of proper validation of user input. If an attacker can control a value that is not properly validated by the application and used to verify authorization, it will likely result in an IDOR.


Imagine the following Python code. This code takes the user's input from the cookie header and looks for the cookie parameter userdata. If it finds the parameter, it decodes the base64 value it contains and looks for the JSON key named role that contains the authorized role for the user.

The code is vulnerable to an IDOR because it compares the value from the data provided by the user directly without any validation. This means that the attacker can create their own role by modifying the value within the cookie parameter userdata.

To demonstrate this, we can now include this base64 value in our cookie parameter userdata and send a request to the vulnerable application with curl.

This request from curl with our customized user data will allow us to access the administrator's dashboard.

Now that you know the basics of how an IDOR vulnerability works, you can test your practical skills on our official challenges.