- Testing for Insecure Direct Object References (WSTG-ATHZ-04)
- https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/
💡 See WebSecurityAcademy (PortSwigger) – Access control vulnerabilities.
How to test
Intercept requests with Burp and play with parameters to access data from other clients.
If you wanna find the inject point in this request, you can use Burp Suite’s compare tool. You should right-click on the request and choose “Send to Comparer” option. Then you can create the same request for using another object and send to comparer.
When you visit to the comparer tool and click on the “Words” button, you will be presented with a window where the changing points.
Examples
A client accesses information from other clients, usually by changing some id like document-id.
API like /messages/5955 where 5955 is a message the client can see. Change the message ID to a message from another client.
Reporting
| CVSS Score v3 | Variable 4.3 (Low) 8.1 (Major) |
| CVSS Vector v3 | Example https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1 |
English
| Title | IDOR: <description of the action> |
| Description | Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. <Description of the application behavior and impact> |
| Steps to reproduce | <Specific steps> Include screenshots. |
| Remediation | It is recommended to… Difficulty level to fix this vulnerability is assessed at “Very complex, Complex, Moderate, Simple”. |
French
| Title | IDOR: <description of the action> |
| Description | Les vulnĂ©rabilitĂ©s de type IDOR (Insecure Direct Object References) surviennent lorsqu’une application fournit un accès direct Ă des objets en se basant sur des entrĂ©es modifiables par l’utilisateur. <Description of the application behavior and impact> |
| Steps to reproduce | <Specific steps> Include screenshots. |
| Remediation | Il est recommandĂ© de … La difficultĂ© de correction est Ă©valuĂ©e Ă “Très complexe, Complexe, Moyenne, Simple”. |