Insecure Direct Object Reference


A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

OWASP Risk Profile

source: OWASP


  • Files: confidential documents Demo 1
  • Video: streams from networked personal webcams  Demo 2
  • Applications: web pages or services that allow requests to be made to specific objects without the proper verification of the requestors right to the content.
    • Applications frequently use the actual name or key of an object when generating web pages.
    • Applications don't always verify the user is authorized for the target object.
    • Developers often have a false expection that the application will only ever be accessed in the intended context.
  • Example:
    • A web application allows users to login in to access their past order information.
    • Once the user is authenticated to the system, he/she can view not only his/her own orders but others through using the insecure direct object reference such as: orderdetails.aspx?orderID=12422 (another customer orders).

Defense measures

  • Implementing a cookies routine to disallow other orders to be viewed (still not safe).   Demo 3
  • Implementing a session routine to disallow other orders to be viewed.  Demo 4