To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained

I’ll open up with an interesting anecdote.

The first and only known security vulnerability that was reported of an Insecure Direct Object Reference (IDOR) was to the @clerk/nexjs package. The vulnerability was reported by a security researcher and assigned CVE-2024-22206, on January 12th, 2024.

Given that there are more than 3,000 vulnerabilities attributed to npm packages, this is an interesting case to study, somewhat unsurprising because IDORs are commonly due to fault logic in the application code, rather than a vulnerability in the package itself. It’s often to find IDORs in applications, but not so much in discrete library code.

What is Insecure Direct Object Reference (IDOR) ?

In the context of web applications, IDOR stands for Insecure Direct Object Reference. It’s a security vulnerability that arises when an application uses predictable elements to access data or perform actions, without properly verifying if the user making the request is authorized to do so.

So what’s the problem with IDOR vulnerabilities ?

• Unauthorized Access: An attacker can manipulate these predictable elements (like ids in URLs) to gain access to data or functionality they shouldn’t have. Imagine a shopping cart application where users can only view their own cart. An IDOR vulnerability could allow someone to see another user’s cart contents by tweaking the user ID in the URL. A real-world case of IDOR was present in Facebook and even not so long ago in Tinder’s match making application.

• Data Breaches: Sensitive user information like financial details, personal documents, or private messages could be exposed if accessed by unauthorized users through IDOR vulnerabilities. So in terms of risk, the impact of an IDOR vulnerability can be quite severe and impact an actual business or user.

• Privilege Escalation: In some cases, attackers might exploit IDOR to gain higher privileges within the system. This could be particularly dangerous in administrative sections of an application. For example, an attacker could change the id in the URL to access an admin user’s profile and then change the password to take over the account.

Do you believe that security is everyone’s responsibility? even if you’re primarily a front-end developer, security should be a concern for everyone working on a web application. Understanding IDOR helps you write code that doesn’t introduce vulnerabilities unintentionally. IDOR vulnerabilities can have serious consequences for both users and the application itself.

How to prevent Insecure Direct Object Reference (IDOR) ?

What’s JavaScript role in IDOR vulnerabilities ?

While IDOR vulnerabilities often stem from server-side logic, JavaScript plays a part too. JavaScript code might be responsible for:

• Constructing URLs or file paths containing user IDs.
• Making requests to the server with these IDs.

So perhaps when relying on the above, server-side and client-side code makes assumption (such as the user is already authenticated) and skips proper authorization checks. This is where IDOR vulnerabilities can creep in.

When it comes to the server-side code, whether in Node.js, Bun, or Deno, the following are important to prevent IDOR vulnerabilities:

• Server-side Validation: Always validate user IDs and other object references on the server-side before granting access to data or performing actions. This ensures proper authorization checks are in place.

• Don’t Trust User Input: Never blindly trust data received from the user (including URLs or IDs). Sanitize and validate all user input before using it to construct requests or access resources.

• Use Secure Libraries: If you’re using libraries or frameworks for authentication or authorization, make sure they handle IDOR concerns properly. Stay updated on any security vulnerabilities reported in these libraries.

Imagine a Next.js application using @clerk/nextjs for authentication. The application allows users to view their profile information. Here’s how an IDOR vulnerability could occur:

1. A user logs in and is directed to their profile page with a URL like http://localhost:3000/profile/123 (where 123 is the user’s unique ID). The application retrieves and displays the user’s profile data based on the ID in the URL.

2. An attacker intercepts the user’s profile URL (http://localhost:3000/profile/123). The attacker modifies the user ID in the URL to another user’s ID (e.g., http://localhost:3000/profile/456). If the application lacks proper ID verification, the attacker might be able to access the profile information of user ID 456, which could be sensitive data.

This is a simplified example, but it highlights how an attacker could leverage predictable URL structures and a lack of ID verification to access unauthorized resources. This is in fact, a real-world example of an IDOR vulnerability discovered in the popular Clerk library for Next.js (now patched).

There’s a further in-depth Node.js code example and references on how to secure JavaScript code to avoid Insecure Direct Object References (IDOR) on the Node.js Security blog.

How to test for Insecure Direct Object Reference (IDOR) ?

Manually testing might cover identifying predictable elements such as looking for areas in your application where user IDs or other object references are used directly in URLs, form submissions, or API requests. These are potential areas for IDOR exploitation.

A rather proactive approach is to attempt to modify user input that stems from user-controlled elements (like IDs in URLs) and observe the application’s behavior. Can you access data or functionalities you shouldn’t have permission for? If so, you might have an IDOR vulnerability.

When automation comes to frame, tools like OWASP ZAP, Burp Suite, or even custom scripts can help identify IDOR vulnerabilities in your application. These tools can scan your application for potential IDOR issues and provide insights into how to fix them. Here are some more points to consider when hunting for IDORs:

• Inspect network requests
• Modify request parameters
• Review logic for handling user input, specifically refer to best practices for secure code review of Node.js code
• Look for server-side authorization checks

What’s next?

Have you ever encountered an IDOR vulnerability in your application? How did you fix it? Reach out and share your experiences and tips for preventing IDOR vulnerabilities, I’d love to learn!