IDOR (Insecure direct object references)

Vulnerability Name: IDOR (Insecure direct object references) on [Domain name]

Vulnerability Description: This vulnerability refers to, when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data.

[Don't forget to add your vulnerability description, the one given above is general description]

Vulnerable Parameter: [vulnerable parameter]

Steps to Reproduce:

  1. Login to the application.

  2. Go to the [URL] and intercept the request.

  3. Alter the vulnerable parameter value to something else.

  4. Forward the request and check the response.

  5. You should see the information of the another user through your account.

  6. This is IDOR (Insecure direct object references).

Proof-of-concept: Snapshots or video link attached

Impact: IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.

Attack Scenario: [Create your own attack scenario according to the workflow of website]

Remediation: The only real solution to this issue is to implement an access control. The user needs to be authorized for the requested information before the server provides it.