About IDOR Vulnerabilities
Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application provides direct access to objects based on user-supplied input without proper authorization checks, allowing attackers to access unauthorized resources.
Common IDOR Sources
User Parameters: user_id, id, uid, user
Document Parameters: doc_id, file_id, document, file
Admin Parameters: admin_id, role, permission
API Parameters: api_key, token, endpoint
Database Parameters: db_id, table, record
Common IDOR Types
User Data Access: Accessing other users' profiles, messages, files
Document Access: Viewing, downloading, or modifying unauthorized documents
Admin Functions: Accessing admin panels, user management, system settings
API Access: Accessing other users' API data, endpoints, or resources
Database Access: Accessing unauthorized database records or tables
Real-World Impact
Unauthorized access to user data and personal information
Access to confidential documents and sensitive files
Privilege escalation and admin function access
Data exfiltration and unauthorized data modification
Bypassing access controls and authorization mechanisms
Compliance violations and privacy breaches