IDOR Attack Lab

Insecure Direct Object Reference

Back to Vault

Educational Purpose Only

IDOR vulnerabilities can expose sensitive data. This lab demonstrates the attack for educational purposes only. Always obtain proper authorization before testing any system for vulnerabilities.

Understanding IDOR

Insecure Direct Object Reference (IDOR) occurs when an application uses user-controllable input to access objects directly. If the application doesn't verify that the user is authorized to access the requested object, an attacker can access data belonging to other users.

Common IDOR Locations

/api/users/123 - User profiles
/documents/456 - Documents/files
/orders/789 - Order details
/invoices/download?id=101 - Invoice downloads
/messages?thread_id=202 - Private messages

Types of References

Sequential IDs: 1, 2, 3, 4... - Easy to enumerate
UUIDs: 550e8400-e29b-41d4-a716-446655440000 - Harder but still vulnerable without auth
Encoded IDs: MTIz (Base64 of "123") - Security through obscurity
Hashed IDs: a665a45920422f9d... - Still vulnerable if predictable

Interactive Document Portal

This simulates a document management system. You're logged in as a regular user. Try accessing documents you shouldn't have access to.

SecureDocs Portal Logged in: john.doe

Enter a document ID and click GET to fetch

ID Enumeration Tool

Results will appear here...

Attack Techniques

1. Simple ID Manipulation

# Original request (your document)
GET /api/documents/1001

# Modified request (someone else's document)
GET /api/documents/1002
GET /api/documents/1
GET /api/documents/admin

2. ID Enumeration with Burp Intruder

# Position marker
GET /api/documents/§1§

# Payload: Numbers 1-1000
# Look for 200 OK responses with different content lengths

3. Parameter Tampering

# URL parameters
/profile?user_id=1001 → /profile?user_id=1

# POST body
{"document_id": 1001} → {"document_id": 1}

# Headers
X-User-ID: 1001 → X-User-ID: 1

4. Horizontal vs Vertical IDOR

Horizontal: Accessing another user's data at the same privilege level
Vertical: Accessing admin functionality as a regular user

Defense Mechanisms

1. Server-Side Authorization Checks

Vulnerable Code:

def get_document(id):
    return Document.query.get(id)  # No authorization!

Secure Code:

def get_document(id):
    doc = Document.query.get(id)
    if doc.owner_id != current_user.id:
        if not current_user.is_admin:
            abort(403)  # Forbidden
    return doc

2. Use Indirect References

# Instead of direct database IDs
/api/documents/123

# Use per-user mapping
user_documents = {
    "doc_a": 123,  # User's own document
    "doc_b": 456   # User's own document
}
/api/documents/doc_a  # Maps to real ID server-side

3. Random/UUID Object References

# Less predictable but still needs auth checks!
/api/documents/550e8400-e29b-41d4-a716-446655440000

# UUIDs prevent enumeration but don't replace authorization

4. Access Control Lists (ACLs)

class Document:
    def can_view(self, user):
        if user.is_admin:
            return True
        if user in self.viewers:
            return True
        if user == self.owner:
            return True
        return False

Knowledge Check

1. What is the root cause of IDOR vulnerabilities?

A) Weak encryption

B) Missing authorization checks on object access

C) SQL injection

D) Cross-site scripting

2. Which is the BEST defense against IDOR?

A) Using UUIDs instead of sequential IDs

B) Encoding the IDs in Base64

C) Server-side authorization checks for every request

D) Rate limiting API requests

3. What is the difference between horizontal and vertical IDOR?

A) Horizontal accesses same-level users; vertical accesses higher privileges

B) Horizontal uses GET; vertical uses POST

C) Horizontal is more dangerous than vertical

D) There is no difference