Insecure direct object reference

Very simply put, This vulnerability is present when an attacker is able to access an object which he ideally should not be able to access.”Sending the object in the POST can protect  from IDOR”  .. WRONG. Let’s hit the demo



1)Below is a screen which will change the secret word (can be anything, may be password)  and store that in the database.

New secret is “new secret”

2)Intercept the request using an intercept proxy, here I have used burp suite

“Intercept is on” so that all the requests are intercepted

3)Here is our request to change the secret

Highlighted portion is our entered secret

4)Now I have changed it to “changed secret”

See highlighted changed secret

In the above example we see that the how easily the secret can be changed. Let’s do some more harm.Get some money involved new.


1)Below is the portal to book movie tickets.

we just need to enter the ticket number

2)Once confirmed the balance deducted is shown. It may be deducted from an online wallet or something similar.

Fair enough 1 ticket = 15 EUR

3)Now we book 20 tickets and intercept the request using burp

20 tickets booked

4)Intercepted request can be changed for no of tickets

see highlighted

5)See the output… the amount deducted was so large that it went in exponential.

What is the ticket no was changed to 21 instead of 2000000000000000


  • Tokenization – Mapping tokens in place of direct object. Tokens can be generated in a random way by some means and should not repeat nor easy to guess.10idor.PNG

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s