December 5, 2025

IDOR Vulnerability to Log Out Another User

daksh kataria June 19, 2025 0
Illustration depicting an IDOR (Insecure Direct Object Reference) vulnerability used to log out another user from a web application
Post Views: 341

What is IDOR?

A particular kind of access control vulnerability known as IDOR occurs when an application directly accesses objects using input provided by the user.

What is the impact of IDOR?

Because the server unquestioningly accepts the session ID supplied without adequate validation, an attacker can use it to log out another user.

Mitigation:

  1. Do Not Trust the Session ID from the User
  • Session IDs from request parameters (such as GET/POST) should never be accepted by input server-side code.
  • Session IDs from secure, HTTPOnly cookies should always be used.
  1. Session Binding to User Identity
  • Session IDs should only be linked to the server’s authenticated user.
  • Verify that the session belongs to the person who is presently logged in, even if someone sends you a different session ID.
  1. Authorization Check
  • Verify that the person acting is the session owner at all times, even if the session ID is passed.
  1. Use Secure Cookies for Session IDs
  • Mark cookies as:
    • HttpOnly (so JS can’t access it)
    • Secure (sent only over HTTPS)
    • SameSite=Strict (to prevent CSRF)
  1. Regenerate Session ID on Login and Logout
  • Minimizes the likelihood of session hijacking and stops session fixation.

Supporting Material/References:

  1. https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html
  2. https://book.hacktricks.xyz/pentesting-web/idor

POC

Step 1

  • As the user “wiener,” log in to the website and intercept the logout request.

Image Shows IDOR


Step 2

  • Forward the intercepted logout request to the Repeater in Burp Suite for additional examination and manual testing.

IMAGE SHOWS IDOR


Step 3

  • To intercept the request, open a private browser session, log in using a new account, and then refresh the page.

Image Shows IDOR

 

Step 4

  • Examine the intercepted request’s session ID to examine its composition and application.

Image Shows: ● Examine the intercepted request's session ID


Step 5

  • Send the second request and check the answer after changing the session ID to match the one from the first logout request. A status code of 200 was given by the answer.

Image Show ● intercepted request's session ID

 

Step 6

  • Check the response for the phrase “See you again” to confirm if both users have been logged out.

Image Shows ● Examine the intercepted request's session ID


Step 7

  • Once the page has been refreshed, note that both users have been automatically logged out.

Image Shows IDOR

Read More:

A Retired IAF Officer Defrauded with ₹1 Cr Placed Under Digital Arrest

About Author

daksh kataria

See author's posts

More Stories

Cybersecurity-themed banner showing a person typing on a keyboard with icons of a password, lock, and shield, highlighting the five major threats that transformed web security in 2025.

5 Threats That Reshaped Web Security in 2025

daksh kataria December 5, 2025 0
Craw-security win-atc-circle-of-excellence-award

Craw Security Wins EC-Council’s Prestigious ATC Circle of Excellence Award 2025

daksh kataria December 1, 2025 0
A smartphone showing a red skull symbol on a banking app, surrounded by digital wires and hacker elements, representing Android malware stealing banking funds.

Researchers warn that New Android Malware can Empty Bank Accounts in just a Few Seconds

daksh kataria November 29, 2025 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Cybersecurity-themed banner showing a person typing on a keyboard with icons of a password, lock, and shield, highlighting the five major threats that transformed web security in 2025.

5 Threats That Reshaped Web Security in 2025

daksh kataria December 5, 2025 0
265M Cyber Attacks in India Recorded by Seqrite — New Ransomware Recovery Tools Announced

265M cyber attacks in India recorded by Seqrite, reported, and new Ransomware Recovery tools

daksh kataria December 5, 2025 0
RTO E-Challan Scam: Fraudsters Drain Bank Accounts Using Fake APK Files

GPS Spoofing of Flights Reported at Important Airports like Delhi, Mumbai, Chennai: Centre tells RS

daksh kataria December 3, 2025 0
A smartphone screen displaying a fake RTO e-challan payment alert with a “Pay Now” button, indicating an online scam involving malicious APK files.

RTO E-Challan Scam: Fraudsters Drain Bank Accounts within Moments with Fake APK Files

daksh kataria December 3, 2025 0
sanchar-saathi -functions

Sanchar Saathi App: How it Functions, Key Features, Highlights, and Installation Permissions

daksh kataria December 3, 2025 0
en_USEnglish
en_USEnglish