/Code Review/IDOR in User Profile

IDOR in User Profile

Direct object reference allows accessing other users' profiles by changing the ID parameter.

HIGHMedium

Vulnerable Codejavascript

1app.get('/api/user/:id', async (req, res) => {
2    const userId = req.params.id;
3    
4    const user = await User.findById(userId);
5    
6    if (!user) {
7        return res.status(404).json({ error: 'User not found' });
8    }
9    
10    res.json({
11        id: user.id,
12        email: user.email,
13        phone: user.phone,
14        address: user.address,
15        ssn: user.ssn
16    });
17});

Understanding the Issue

The endpoint retrieves user data based solely on the ID parameter without verifying if the requesting user is authorized to access that data. An attacker can enumerate user IDs to access sensitive information of other users.

User Data Enumeration

Attacker changes user ID to access other accounts

Malicious Input

# Logged in as user ID 5
curl https://api.example.com/api/user/1
curl https://api.example.com/api/user/2
curl https://api.example.com/api/user/3

Impact

Response for /api/user/1:
{
  "id": 1,
  "email": "admin@example.com",
  "phone": "555-0100",
  "ssn": "123-45-6789"  ← Sensitive!
}

✓ Access to all user data without authorization
✓ Can dump entire user database

Technical Details

Vulnerability Type: Insecure Direct Object Reference
Severity: HIGH
Language: Javascript
CWE: CWE-639
OWASP: A01:2021 - Broken Access Control

IDOR in User Profile

Understanding the Issue

How Attackers Exploit This

User Data Enumeration

Finding the Vulnerability(3 hints)

Technical Details

IDOR in User Profile

Understanding the Issue

How Attackers Exploit This

User Data Enumeration

Finding the Vulnerability(3 hints)

Technical Details