AUTH_IDOR_006 security auth_error ai_generated true

Insecure Direct Object Reference (IDOR) allows access to another user's data via predictable IDs

ID: security/insecure-direct-object-reference-in-api

Also available as: JSON · Markdown · 中文
88%Fix Rate
85%Confidence
1Evidence
2023-12-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
REST API active
GraphQL active
Spring Boot 3.1 active

Root Cause

The API exposes internal object IDs (e.g., user ID, order number) in URLs or request bodies without verifying that the authenticated user owns the resource, allowing unauthorized access to other users' data.

generic

中文

API 在 URL 或请求体中暴露内部对象 ID(例如用户 ID、订单号),而未验证经过身份验证的用户是否拥有该资源,从而允许未经授权访问其他用户的数据。

Official Documentation

https://owasp.org/www-community/attacks/Insecure_Direct_Object_Reference

Workarounds

  1. 90% success Implement authorization checks on every API endpoint that accesses a resource by ID. Example in Node.js/Express: app.get('/api/order/:id', async (req, res) => { const order = await Order.findById(req.params.id); if (!order || order.userId !== req.user.id) { return res.status(403).json({ error: 'Forbidden' }); } res.json(order); }); 
    Implement authorization checks on every API endpoint that accesses a resource by ID. Example in Node.js/Express:
app.get('/api/order/:id', async (req, res) => {
    const order = await Order.findById(req.params.id);
    if (!order || order.userId !== req.user.id) {
        return res.status(403).json({ error: 'Forbidden' });
    }
    res.json(order);
});
  2. 85% success Use attribute-based access control (ABAC) with a policy engine (e.g., OPA) to centrally enforce that users can only access resources they own. 
    Use attribute-based access control (ABAC) with a policy engine (e.g., OPA) to centrally enforce that users can only access resources they own.
  3. 88% success Replace direct object IDs with opaque, non-guessable tokens (e.g., signed JWTs) that encode the user's identity and resource ownership, and validate the signature on each request. 
    Replace direct object IDs with opaque, non-guessable tokens (e.g., signed JWTs) that encode the user's identity and resource ownership, and validate the signature on each request.

中文步骤

  1. Implement authorization checks on every API endpoint that accesses a resource by ID. Example in Node.js/Express:
app.get('/api/order/:id', async (req, res) => {
    const order = await Order.findById(req.params.id);
    if (!order || order.userId !== req.user.id) {
        return res.status(403).json({ error: 'Forbidden' });
    }
    res.json(order);
});
  2. Use attribute-based access control (ABAC) with a policy engine (e.g., OPA) to centrally enforce that users can only access resources they own.
  3. Replace direct object IDs with opaque, non-guessable tokens (e.g., signed JWTs) that encode the user's identity and resource ownership, and validate the signature on each request.

Dead Ends

Common approaches that don't work:

  1. Obfuscate object IDs by using hashes (e.g., MD5) instead of sequential numbers 95% fail

    Obfuscation is not authorization; if the hash is leaked or guessed (e.g., via enumeration), access is still granted. Authorization checks are required.

  2. Use UUIDs instead of integers for IDs 90% fail

    UUIDs make guessing harder but do not prevent access if a user obtains another user's UUID (e.g., via shared links or logs). Authorization is still missing.