• Designers and developers of web application frameworks and web applications
• All end-user organizations deploying on premise software or private cloud models

High risk of exploitation leading to unauthorized access, data breaches and potential financial losses.

Impact Assessment

1. The application reveals a direct reference to an internal resource or operation.


2. The user is able to manipulate a URL or form parameter to modify the direct reference.


3. The application grants access to the internal object without checking if the user is authorized.

• URL Tampering: The URL is modified at the client¿s end by tweaking the parameters in the HTTP request and unauthorised data is accessed.


• Body Manipulation: In this case attackers modify the value of a checkbox, radio buttons, APIs, and form fields to access information from other users with ease.


• HTTP Requests: These type of IDOR vulnerabilities is typically found in GET, POST, PUT, and DELETE verbs.


• Obtaining unauthorized data access: Exposed object references may reveal direct database IDs, allowing attackers to retrieve database records containing sensitive information. Database key names and values can also be used to prepare SQL injection payloads.


• Getting direct access to files: Typically combined with path traversal, this type of IDOR lets attackers manipulate file system resources. This could allow attacker to upload/download files, manipulate other users¿ data.


• API Endpoints: Restful APIs often rely on object references (IDs) in request paths (e.g., /api/user/123). Without proper checks, this can expose user data or resources.


• Cookies: Some applications store sensitive data (like session tokens or user IDs) in cookies.

• Exposure of sensitive information


• Unauthorized modification or deletion of data


• Privilege escalation


• Business disruptions or financial losses


• Potential violations of compliance and regulatory standards

• Identification of the Vulnerable Parameter: Locate parameters in URLs or POST requests that reference objects directly, such as user IDs or object IDs.


• Manipulating the Identifier: Modify the identifier to reference another object. For instance, change 123 to another user ID in the URL https://example.com/user/123 to attempt unauthorized access.


• Verify Access: Checking if the application allows access to the new object without proper authorization checks


• Exploiting the Access: Utilize the unauthorized access to perform actions like reading sensitive data, modifying or deleting data.


• Parameter Pollution: Testing multiple values for the same parameter to see if it leads to unexpected behaviour and potentially bypasses checks.


• JSON Globbing: Experimenting with different JSON body structures to see if the application handles them differently and bypasses security checks3


• Privilege Escalation: Attempt to gain higher privileges by altering the user parameters and bypassing access controls.


• Password Leakage: Exploiting the vulnerability to access user accounts and modify parameters or extract sensitive information.

• Developers should avoid displaying private object references such as keys or file names.


• Developer may use secure hashes instead of actual object references to make it harder for attackers to tamper with user-controllable values. 


• Tokens should be generated in such a way that it can only be mapped to the user and is not public.


• Validation of parameters should be properly implemented.


• Verification of all the referenced objects should be checked.


• Ensure that queries are scoped to the owner of the resource. 


• Avoiding IDOR is only possible by building a Robust access control mechanism may be, choosing the best fit methodology for your scenario, log all access and if possible do an audit with a post authorization check.


• Avoid using a simple pattern to reference objects in the backend, thus not using a sequential integer value but something like UUID or even a MAC (hashed ID) with user session. This does not eliminate the IDOR, but reduces the overall impact and the ability to enumerate objects. 


• Use server-side access control validation rather than client-side.


• Implement server-side access controls to ensure users are authorized to access or modify the requested resource.


• Use proper authorization mechanisms such as role-based access control and validate the user¿s permissions before serving the resource.


• Implement rate-limiting, and obfuscate object IDs using secure tokens or hashed references.


• Implement session validation and use anti-CSRF tokens to prevent unauthorized access through hijacked sessions.


• Integrate automated security testing in your development pipeline (e.g., using Dynamic Application Security Testing).


• Perform regular code reviews to ensure that sensitive object references aren¿t exposed to the user.


• Conduct regular security audits to identify and patch vulnerabilities from CERT-In empanelled auditors. 


• Refer to the API security best practices as recommended in the whitepaper titled "API Security: Threats, Best Practices, Challenges, and Way forward using AI" released by CERT-In on 14 August 2023.This is available at following URL:
  https://www.cert-in.org.in/PDF/CIWP-2023-0001.pdf


• Comply with Cyber Security Directions issued by CERT-In on 28 April 2022. Cyber security directions issued by CERT-In on 28 April 2022 are available at following URL:
  https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf