IDOR Explained: Everything you need to know

Insecure direct object reference (IDOR) vulnerabilities are making headlines as the scale of the threat they pose becomes clear.

Earlier this year, reports began surfacing of an unsecured Stripe Gateway plugin that allowed threat actors to access personally identifiable information (PII) associated with e-commerce orders. This included email addresses, user names, and physical addresses. The root of the vulnerability was an unauthenticated IDOR.

Since then, more and more IDOR vulnerabilities have been observed in the wild. In fact, cybersecurity agencies within the US and Australian governments have issued a joint advisory warning of the size of the threat posed by IDORs. 

In light of this growing awareness of IDOR threats, it is imperative that individuals and organizations act quickly to address any related gaps in their defenses. The race is on to mitigate your IDOR risks before cyberattackers can take advantage of them.

What is an IDOR vulnerability?

A type of access control vulnerability, IDORs occur when user-supplied information allows an attacker to access or modify an object within a particular application. When additional access control checks are not present, a threat actor can access data without being verified, which can subsequently lead to other privilege escalation attacks.

One of the most common examples of an IDOR vulnerability can be seen within a simple website URL. Imagine the below as the kind of web URL that directs a user to a customer account page for an e-commerce site:

• https://dodgywebshop.com/customer_account?customer_number=374857

Without any additional verification tools, a cyberattacker is able to simply modify the “customer_number” and access information relating to other customers. The attacker may be able to access the account of a user with additional privileges or steal sensitive information, like usernames and passwords, that allow them to conduct additional exploits.

In other cases, the user identifier may not be contained within a URL but nonetheless represents an IDOR vulnerability if additional access controls are not present. For instance, identifiers may be included in the POST request body sent to your API. Again, without additional authorization, an attacker can modify the user ID within the request to access sensitive credentials. In addition to user account credentials, static files can also be accessed this way when they are stored on the server side.

Why IDORs are so concerning

One of the reasons that IDORs present such a worrying threat is their ubiquity. Aside from high-profile exploits, including the leak of hundreds of millions of mortgage records and private COVID-19 vaccine information from across multiple US states, IDORs are commonplace opportunities for cyberattackers - wherever user accounts and internet-facing assets are employed. This could include any application that individuals use for their work or personal lives, as well as any website that stores personal user information. 

In fact, a study by the Cybersecurity & Infrastructure Security Agency (CISA) found that the use of "Valid Accounts'' was the most commonly successful attack technique for threat actors l. The accounts can be utilised to exploit IDOR vulnerabilities. Often, these Valid Accounts were those of former employees that were yet to be deleted from an active directory or an administrator account.  Valid accounts were employed in 56.1% of instances for establishing persistence in a compromised network, in 42.9% of privilege escalation attacks, and in 17.5% of defense evasion tactics.

Another concern is how easy IDOR vulnerabilities are to exploit. Because, in many cases, attackers simply have to change a numerical value to gain access to user objects or information, automated tools can be employed to test access controls at scale. As James Stanley, CISA Product Development Section Chief, explained to TechCrunch, “this is a major flaw with too little recognition or understanding within the cyber community.”

Recent trends in IDOR exploits

However, it is clear that recognition and understanding of the risks posed by IDORs is growing - as is an awareness of various trends related to these vulnerabilities. One of the most important is the way that an IDOR exposing a single website or application can have a country-wide impact. This was evident in the 2022 Optus hack, which led to almost 10 million customer records being exposed. 

The 2023 Common Weakness Enumeration Top 25 list finds that “missing authorization” has consistently moved up the list of weaknesses in terms of frequency. This means that many developers fail to implement authorization techniques consistently - leaving their web portals and applications vulnerable to an IDOR-related breach.

All the evidence suggests that perhaps the most worrying IDOR trend is that these exploits are becoming more common. Cyberattackers are clearly becoming more aware of the potential gains to be had from successfully exploiting an IDOR vulnerability - it’s about time security personnel gained a better understanding of how to fight back.

How you can close down IDOR threats

Although the widespread nature of IDOR vulnerabilities can initially appear overwhelming, there is a way for organizations to plug this security gap. First of all, a cultural shift is required to ensure that developers adopt a “secure-by-design” method whenever they are designing software. This means that security-first principles should be adopted from the very beginning of the development process. Then, access controls should be prioritized to ensure that IDOR vulnerabilities do not make their way into web portals or applications furthe down the line. 

Vendors, designers, and developers should consider using indirect reference maps, where sensitive information, such as customer IDs, are replaced with encoded, hidden values. A focus on security should also be extended whenever a vendor works with third-party libraries or frameworks. These must be kept continually up to date to mitigate against IDOR vulnerabilities and other threats stemming from outside the company walls. 

Additionally, automation can support the code review process, helping you to identify and remediate IDOR vulnerabilities. Given that organizations have to deal with a growing number of internet-facing assets, many of which are unknown or unmanaged, manually assessing the code for each one is not always feasible. 

However, given the scale and breadth of IDOR vulnerabilities, relying on improved development practices may not be enough. Proactive vulnerability scanning and penetration testing will also help eliminate vulnerabilities from internet-facing applications and network boundaries. 

That’s why we advise organizations to use automated testing tools to facilitate security testing, providing them with a more holistic view of their assets and any IDORs that may reside within them. Fuzz testing tools will allow you to find issues with input handling and penetration testing to simulate how a threat actor may exploit the software. This will allow you to adopt a hacker’s mindset. Visualize how they would discover and exploit IDOR vulnerabilities - and remove them before it’s too late. 

Finally, consider using dynamic application security testing (DAST) tools to identify IDOR vulnerabilities in web applications. This will provide you with a comprehensive map of your application, complete with the exact location of any vulnerability, as well as the received response to any inputs. This means your security personnel can carry out manual testing at a later date if required. 

With Hadrian’s automated penetration testing platform, this scale suddenly becomes manageable and security personnel can begin eliminating threats wherever they crop up. This, combined with a secure-by-design approach, will mean that IDOR vulnerabilities - for both existing and new applications - are quickly rooted out.