Detection and Prevention of Insecure Direct Object References (IDOR) in Website-Based Applications

Abstract

IDOR (Insecure Direct Object References) is a security vulnerability that occurs when a web application does not validate or authorize access to direct objects, such as data or resources, in an adequate manner. In the context of web application security, objects can be files, database records, or other resources identified by a parameter or direct reference. The IDOR technique allows an attacker to manipulate parameters passed to a web application to gain unauthorized access to objects he or she should not have access to. By exploiting this vulnerability, attackers can access, modify, or delete data that should only be accessible to authorized users. One of the dangers in accessing data on websites, data retrieval techniques from object IDs are often vulnerable to Insecure Direct Object References (IDOR) attacks. Therefore, the data retrieval technique from $_SESSION can be a safer alternative to avoid the IDOR security vulnerability. Using this technique, only the account in use can be accessed and does not allow access to other technician accounts. The use of additional query parameters can also increase website security and protect the data and information contained therein. Thus, adding additional validation to the code can help prevent IDOR vulnerabilities from occurring in web applications.