IDOR
Definition
IDOR, or Insecure Direct Object Reference, is a type of access control vulnerability that occurs when an application exposes a reference to an internal object, such as a file, database record, or key, without proper authorization checks. This can allow an attacker to manipulate the reference to access unauthorized data. IDOR vulnerabilities are often found in web applications where user input is used to directly access objects without sufficient validation or access control mechanisms.
Secure Settings Example
# Example of secure access control in a Flask application
from flask import Flask, request, jsonify
from flask_login import login_required, current_user
app = Flask(__name__)
@app.route('/user/<int:user_id>', methods=['GET'])
@login_required
def get_user_data(user_id):
if current_user.id != user_id:
return jsonify({"error": "Unauthorized access"}), 403
# Fetch and return user data
user_data = fetch_user_data(user_id)
return jsonify(user_data)
Insecure Settings Example
# Example of insecure access control in a Flask application
from flask import Flask, request, jsonify
app = Flask(__name__)
@app.route('/user/<int:user_id>', methods=['GET'])
def get_user_data(user_id):
# Directly fetch and return user data without authorization check
user_data = fetch_user_data(user_id)
return jsonify(user_data)