NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
June 18, 2020

Web App Vulnerability Basics: Insecure Direct Object Reference

NuHarbor Security

This is the fourth installment in a series on Web Application Vulnerability Basics.


​What Is Insecure Direct Object Reference?

Insecure Direct Object Reference, also known as IDOR, is a reference to an internal implementation object that is exposed to a user without proper access control. IDOR can lead to attackers bypassing authentication and accessing resources, accounts, and modifying some data. IDOR is often leveraged for horizontal movement, but vertical movement is also possible.

How Do IDOR-based Attacks Work?

First, an attacker will identify an insecurely implemented direct object reference. This can be any type of data including integers, strings, dates or times, GUIDs, or even request headers. The attacker must also identify the data format of the fields. Using this, the attacker will determine a range and attempt to enumerate over other objects or resources they shouldn’t have access to by modifying the IDOR vulnerable field. This only works if the web application has not implemented proper access control and will serve content without verifying the user should have access to it.

For example, a bank statement uses IDOR and does not properly implement access control. An attacker generates a bank statement through the web application and sees that the URL is bank.example.com/bank_statement?statementId=4324. The attacker correctly guesses that the statementId field is autoincremented, and verifies this by accessing the statementId of 4323, which returns the bank statement of the last person to use the application from a different user. Knowing that IDOR attacks are possible on the web application, the attacker will then use a tool or script to enumerate all bank statements that have an ID between 0 and 4324 and download them.

Mitigating IDOR-based Attacks

There are a few mitigation strategies that can prevent IDOR abuse. Implement proper access control server-side to prevent users from accessing unauthorized resources. Make sure to verify the session is for the expected user and the user has access to the data they are requesting.

Another way to mitigate IDOR based attacks is to avoid directly referencing objects when possible. Use an indirect reference map, leverage internal session management or other methods to ensure that key backend references are not exposed on the front end. Limit passing identifying parameters on requests whenever possible.

If user-exposed direct object reference is necessary, avoid sequentially assigning object identifiers that are easy to enumerate. Instead, use an unpredictable and large data field for references such as GUID or UUID that makes it hard to enumerate and exploit, even if the access control has been bypassed or is missing.

Note: An IDOR attack is extremely hard for a WAF to detect, and most are not able to identify and prevent IDOR attacks. A WAF leverages pattern matching to determine if the request is valid or malicious, and since an IDOR attack modifies data inside a valid request, the signature of the request is generally unchanged. Utilizing a WAF is generally not a good strategy for preventing IDOR abuse.

Conclusion

IDOR based attacks are easy to execute and generally don’t require a high level of skill. Utilizing proper access control and validation along with avoiding direct object reference can greatly reduce the potential for an IDOR based attack. Verify that IDOR is not an issue with your web application: utilize a web app pen test from NuHarbor.

Other Posts in the Web Application Vulnerability Basics Series:

Web App Vulnerability Basics: Path Traversal

Web App Vulnerability Basics: Cross-Site Request Forgery

Web App Vulnerability Basics: Cross-Site Scripting

Included Topics

  • Application Security,
  • Security Testing

Related Posts

Compliance 3 min read
NIST 800-53 Security Assessment Process Read More
Compliance 3 min read
HIPAA Risk Analysis vs. Gap Assessment: What’s the Difference? Read More
Compliance 5 min read
Physical Security Playbook Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.