Description

What is IDOR (Insecure Direct Object Reference)?

Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a “direct object reference,” such as a database key, query parameter, or filename.

Steps to Reproduce

1> Create two accounts > make a public/private memos with user1 & archive existing memo of user2.
2> As user 2 (attacker) delete archived memo & intercept the request.
3> Change original ID value with the victim user's (User 1) memo id & observe the response.
4> Victim users memo will be deleted.

Proof of Concept

Screenshots link: https://drive.google.com/drive/folders/12B6R5faVtPevFYk0zIfbemD0nSAfz_wu?usp=sharing

Impact

Using this vulnerability an evil user could easily delete all the available memos (Public/Private) in the entire application. Since the memos id is numeric & is sequentially incremented, it is easy to get and perform this attack scenario.

Mitigation

1> Proper access control matrix should be implemented.
2> User id should be tied up with session id.
3> Try to make memos id value instead of numerical value to some random UUID value which contains letters as well as numbers and it should not be easily guessable.