Home › BCA Cyber Security › cybersecurity › Web Security — OWASP › An IDOR (Insecure Direct Object Reference) attac…
An IDOR (Insecure Direct Object Reference) attack happens when
Athe server uses too much memory
Battacker tweaks ID param to read others' data
Cthe user has a slow connection
Dthe database is encrypted
Answer & Solution
Correct answer: B. attacker tweaks ID param to read others' data
1. IDOR: an application uses an INTERNAL OBJECT REFERENCE (database ID, filename) DIRECTLY in URLs/parameters, WITHOUT verifying the requester is authorised to access that object.
2. EXAMPLE: `GET /invoice?id=42` returns invoice 42 without checking if it belongs to the requesting user. Attacker changes to `id=43` and views someone else's invoice.
3. IDOR is a CLASSIC EXAMPLE of Broken Access Control (OWASP A01 2021).
4. MITIGATIONS: server-side authorisation check on every object access, indirect references (random UUIDs), per-user access matrix.
5. Other options are unrelated to authorisation logic.
_Source: OWASP Top 10 2021 — A01 Broken Access Control (IDOR example)._
Related questions
What does HTTPS provide over plain HTTP?Which OWASP category covers using libraries with KNOWN CVEs?OWASP recommends LOGGING and MONITORING for the SECURITY LIFECYCLE becauseCROSS-SITE REQUEST FORGERY (CSRF) is best mitigated byWhich mitigation is the SINGLE most effective defense against SQL Injection?SERVER-SIDE REQUEST FORGERY (SSRF) — A10 in OWASP 2021 — happens whenWhat does the SECURITY MISCONFIGURATION category (A05 in 2021) typically include?The OWASP 2021 category A04 'INSECURE DESIGN' is a NEW category that addresses