Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added IDOR Vulnerability to the list #16

Closed
wants to merge 1 commit into from
Closed

Added IDOR Vulnerability to the list #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
- [Remote Code Execution (RCE)](#remote-code-execution-rce)
- [CRLF Injection](#crlf-injection)
- [LDAP Injection](#ldap-injection)
- [IDOR](#idor)

- [Mobile Application Security Vulnerabilities:](#mobile-application-security-vulnerabilities)
- [Weak Server Side Controls](#weak-server-side-controls)
- [Lack of Binary Protections](#lack-of-binary-protections)
Expand Down Expand Up @@ -94,6 +96,21 @@ page injection, web cache poisoning, cache-based defacement, and more.

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.

----

### IDOR
**Insecure Direct Object Reference**, commonly known as IDOR is a type of access control vulnerability that takes place when an application uses the user-supplied input to access objects directly, without any fitering measures applied. Generally, there are many variables which are often sent as HTTP parameters, commonly found in cookies or headers. An attacker can access, edit and modify or even delete the other's user object by simply changing the values of those parameters. IDOR vulnerability is as severe as **XSS** and **CSRF** and is a type of vulnerability not easily discovered by automated testing.

For ex: let's take a simple URL of an ecommerce site:

`https://www.myinsecureecommerce.com/page/user1/324`

Now, if someone could change the `user1` to values such as `user2` and get access to other users account, then the attacker can potentially obtain user credentials and other sensitive data.

So, with this an attacker can get access to other account which clearly is an access-control vulnerability.



----

## Mobile Application Security Vulnerabilities:
Expand Down
7 changes: 7 additions & 0 deletions vulnerabilities list
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,13 @@

/*========================================*/

** IDOR (Insecure Direct Object Reference)
- Insecucre Direct Object Reference, commonly known as IDOR is a type of access control vulnerability that takes place when an application uses the user-supplied input to access objects directly, without any fitering measures applied.
Generally, there are many variables which are often sent as HTTP parameters found in Cookies or headers. An attacker can access, edit and modify or even delete the other's user object by simply changing the values.
IDOR vulnerability is as severe as XSS and CSRF and is a type of vulnerability not easily discovered by automated testing.

/*========================================*/

Top Mobile Application Security Vulnerabilities:

** Weak Server Side Controls
Expand Down