Insecure Direct Object Reference, IDOR

DETECTION

• Substitute UIDs, user hashes, emails
• Check for static files with authenticated account and then try to access them with low-priv or no-priv account
• Check for static files by Discover Content and by inferring from other documents names
• Create two users and cross-validate access to private resources
• Look for leakid IDs
• Examples:

• • http:/foo.bar/somepage?invoice=12345
  • http:/foo.bar/changepassword?user=someuser
  • http:/foo.bar/showImage?img=img00011
  • http:/foo.bar/accessPage?menuitem=12

• Identify any and all UID and
• • increment
  • decrement
  • negative values

Common functions, views, files

Add / Upload file Email change
Delete File
Password change
Transfer Money / Currency
Profile edit

Images
Receipts
Private documents

Shipping info
Purchase orders
Sending & Deleting messages