How to Fix Insecure Direct Object Reference (IDOR) Vulnerabilities
In this tutorial, you'll learn about How to Fix Insecure Direct Object Reference (IDOR) Vulnerabilities. We cover key concepts, practical examples, and best practices.
Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application exposes direct references to internal objects (database IDs, file paths) and does not verify the user's authorization to access those objects.
Quick Fix
Wrong
app.get("/api/user/:id", [](Request& req, Response& res) {
int userId = std::stoi(req.param("id"));
User user = db.query("SELECT * FROM users WHERE id = ?", userId);
res.json(user);
});
Authenticated user can access any user's data by changing the id parameter.
Right
app.get("/api/user/:id", [](Request& req, Response& res) {
int requestedId = std::stoi(req.param("id"));
int sessionUserId = req.session.userId;
if (requestedId != sessionUserId && !req.session.isAdmin) {
res.status(403).send("Access denied");
return;
}
User user = db.query("SELECT * FROM users WHERE id = ?", requestedId);
res.json(user);
});
Fix with UUIDs
// Use UUIDs instead of sequential IDs
app.get("/api/user/:uuid", [](Request& req, Response& res) {
std::string uuid = req.param("uuid");
if (!ownsResource(req.session, uuid)) {
res.status(403).send("Access denied");
return;
}
// ...
});
Fix with ownership check (generic)
bool userOwnsResource(int userId, const std::string& resourceType,
int resourceId) {
auto result = db.query(
"SELECT owner_id FROM " + resourceType +
" WHERE id = ?", resourceId);
return !result.empty() && result[0]["owner_id"] == userId;
}
Prevention
- Never trust user-supplied IDs without authorization checks.
- Use indirect references (UUIDs, random tokens) instead of sequential IDs.
- Implement access control checks for every object access.
- Use server-side sessions to track the current user's identity.
- Test authorization with automated scripts that try alternate IDs.
DodaTech Tools
Doda Browser's security scanner tests each API endpoint with different user IDs and tokens to detect IDOR vulnerabilities. DodaZIP archives access control lists for audits. Durga Antivirus Pro detects unauthorized object access patterns.
Common Mistakes with direct object
- Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
- Using
headandtailinstead of pattern matching, causing runtime errors on empty lists - Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
These mistakes appear frequently in real-world INSECURE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro