Practice free →
HomeBCA Cyber SecuritycybersecurityWeb Security — OWASP › An IDOR (Insecure Direct Object Reference) attac…

An IDOR (Insecure Direct Object Reference) attack happens when

Athe server uses too much memory
Battacker tweaks ID param to read others' data
Cthe user has a slow connection
Dthe database is encrypted
Answer & Solution
Correct answer: B. attacker tweaks ID param to read others' data
1. IDOR: an application uses an INTERNAL OBJECT REFERENCE (database ID, filename) DIRECTLY in URLs/parameters, WITHOUT verifying the requester is authorised to access that object. 2. EXAMPLE: `GET /invoice?id=42` returns invoice 42 without checking if it belongs to the requesting user. Attacker changes to `id=43` and views someone else's invoice. 3. IDOR is a CLASSIC EXAMPLE of Broken Access Control (OWASP A01 2021). 4. MITIGATIONS: server-side authorisation check on every object access, indirect references (random UUIDs), per-user access matrix. 5. Other options are unrelated to authorisation logic. _Source: OWASP Top 10 2021 — A01 Broken Access Control (IDOR example)._
Solve this in the app — BCA Cyber Security practice & 24k+ MCQs →
Related questions