Detecting Insecure Direct Object References
An Insecure Direct Object Reference (IDOR) vulnerability appears when a parameter gains access to a certain resource. By modifying this parameter, it is possible to access other resources that are not authorized for this user. Usually the affected parameters are used as control for the application's flow, for example, the named id
, uid
, r
, url
, ur
, and so on.
These kinds of vulnerabilities could be detected using the Target
tool in Burp Suite. Similar to the CSRF detection, the more URLs you detect, the more possibilities there are to find vulnerabilities:
- To add a target to the scope, go to Burp Suite, and using the secondary button of the mouse, click on
Add to the scope
option. - Then go to the
Target
tool, and click on theScope
tab. Here you will see listed all the URLs, domains, and sections added to the scope. If you want you can limit the Burp Suite's history just to log requests in the scope, but I do not recommend that, because sometimes it...