Hello Guys ! I am Jeya Seelan a Security Researcher and a Bug Hunter. This Is My First Bug Bounty Writeup. We are Going to See A Short Story of IDOR and How Could I Have Taken Over Your Account Through It.

Before Getting into Details Let’s See What is An IDOR.

What is an IDOR?

IDOR Stands For Insecure Direct Object Reference and it is a type Of Access Control Vulnerability. According to OWASP IDOR occurs…

“ Insecure Direct Object Reference occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.”

---

Let us See an Example, Consider Two Users User A and User B. The User-A is having a Document with ID 1000 and the User B is Having a Document with ID 1002.

In Normal Scenario the User A Will Only Have Access Only To Document With ID 1000 and User B Will Only Have Access to Document with ID 1002. But Here If User A Changed the Document ID to User B’s ID -1002, User A can Able to Access the Document of User B. This Is due to Broken Access Control And Insecure Direct Object Reference.

#idor #information-security #security #bug-bounty #cybersecurity