IDOR (Insecure direct object references)
Vulnerability Name: IDOR (Insecure direct object references) on [Domain name]
Vulnerability Description: This vulnerability refers to, when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data.
Steps to Reproduce:
- 1.Login to the application.
- 2.Go to the [URL] and intercept the request.
- 3.Alter the
vulnerable parametervalue to something else.
- 4.Forward the request and check the response.
- 5.You should see the information of the another user through your account.
- 6.This is IDOR (Insecure direct object references).
Snapshots or video link attached
Impact: IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
Attack Scenario: [Create your own attack scenario according to the workflow of website]
Remediation: The only real solution to this issue is to implement an access control. The user needs to be authorized for the requested information before the server provides it.