API Security Misconfiguration
IDOR vulnerabilities in REST APIs and how broken object level authorization leads to data leaks.
Overview
Insecure Direct Object References (IDOR) are among the most common API vulnerabilities. When APIs expose internal object identifiers without proper authorization checks, attackers can access or modify data belonging to other users.
Affected: REST APIs, GraphQL endpoints
Impact: Unauthorized data access
CVSS: 7.5 (High)
The Vulnerability
During API security assessments, we discovered multiple applications where user-specific resources were accessible simply by changing an ID parameter in the API request. The server failed to verify that the authenticated user owned or had permission to access the requested resource.
Technical Details
The vulnerable API endpoints used predictable sequential IDs and relied solely on these IDs to determine which resource to return. No verification was performed to ensure the requesting user had authorization.
Attack Scenario
- User authenticates and receives session token
- Application makes API calls with user/order IDs
- Attacker intercepts request and modifies ID parameter
- Server returns data for modified ID without authorization
- Sensitive information of other users exposed
Impact
- Exposure of personal identifiable information (PII)
- Access to private messages and conversations
- Viewing other users' payment details
- Modifying or deleting other users' data
Remediation
- Implement proper authorization checks for every endpoint
- Use UUIDs instead of sequential IDs
- Verify user ownership before returning resources
- Regular API security testing