Insecure Direct Object References (IDOR) is an access control vulnerability that allows an attacker to manipulate another user's account through a unique identifier.
A unique identifier is a piece of data that is associated with a user and can be:
- An incremental numeric value.
- The national identity card (NID) number.
- The email address.
- The telephone number.
- Bank account number, etc.
Let's take a look at an example of a real-life exploitation in a banking application.
Verify that the identifier you are accessing belongs to the user who is logged into the application.
// Check that origin account belongs to the current user.
if ($tef->origin != Auth::user()->product->id) {
return [
'code' => '0001',
'message' => 'Possible bank fraud. Your IP address has been logged.',
];
}# Check that origin account belongs to the current user.
if data["origin"] != request.user.products.get().number:
return JsonResponse({
"code": "0001",
"message": "You don't have permission to perform this operation.",
})Let's try to hack it π
- Download the distribution code from https://github.com/itsecurityco/OWASP-101/archive/refs/heads/A01.zip and unzip it.
- Run
docker compose up db -dand and wait until it's over to build and populate the database. - Run
docker compose up python -dto build and start the vulnerable Python application. - Run
docker compose up php -dto build and start the vulnerable PHP application.
Open your browser and go to http://localhost:5000/ to start hacking the Bank PY.
Open your browser and go to http://localhost:8000/ to start hacking the Bank PHP.
Developed by @itsecurityco