IDOR

Insecure Direct Object Reference

• App exposes reference to internal object that shouldn't be visible to the current user

• Eg. cookie value 2 for current user can be changed to 3 and attacker can see another user's information

Testing

• HTML, JS files

• Cookies (both encoded and normal strings)

• URL

  • id, userid, value, pid, post_id

Impact

• Account takeover

• Change user data

• Access private data

• Access internal data