July 14, 2025

Vulnerability Name: IDOR to Modify Another User’s Details with the Help of Session ID

daksh kataria June 14, 2025 0
Illustration of IDOR vulnerability allowing user data modification using session ID
Post Views: 101

What is IDOR?

A particular kind of access control vulnerability known as IDOR occurs when an application directly accesses objects using input provided by the user.

What is the impact of IDOR?

Due to inadequate authorization restrictions, an attacker can change private user information, including name, full name, contact information, bio, and country.

Mitigation:

  1. Do Not Trust Session ID from User Input
  • Session IDs from request parameters (such as GET/POST) should never be accepted by server-side code.
  • Session IDs from secure, HTTPOnly cookies should always be used.
  1. Session Binding to User Identity
  • Session IDs should only be linked to the server’s authenticated user.
  • Verify that the session belongs to the person who is presently logged in, even if someone sends you a different session ID.
  1. Authorization Check
  • Verify that the person carrying out the action is the session owner at all times, even if the session ID is passed.
  1. Use Secure Cookies for Session IDs
  • Mark cookies as:
    • HttpOnly (so JS can’t access it)
    • Secure (sent only over HTTPS)
    • SameSite=Strict (to prevent CSRF)
  1. Regenerate Session ID on Login and Logout
  • Minimizes the likelihood of session hijacking and stops session fixation.

Supporting Material/References:

  1. https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html
  2. https://book.hacktricks.xyz/pentesting-web/idor

POC

Step 1

  • Click save changes and intercept a request.

Image Show Click save changes

Step 2

  • Send to the repeater.

Image Shows Send to the repeater


Step 3

  • Launch a secret browser session, enter a separate username, and review the profile information for the second individual.

Image Shows Crack the lab screen.


Step 4

  • Send to the repeater

Image Shows Crack The Lab

Step 5

  • See the response status code 200 after changing the second request’s session ID to match the first request’s session ID.

Image SHows status code 200

Step 6

  • When you reload the page, user information is automatically updated.

Read More

A Relief to the Bank Customers: Only a Specific Amount Would be Frozen

About Author

daksh kataria

See author's posts

More Stories

Bluetooth symbol with coding icon, warning about serious protocol flaws leading to RCE attacks

Serious Flaws in the Bluetooth Protocol Put Devices at Risk of RCE Attacks

daksh kataria July 11, 2025 0
286 Cybercriminals Arrested in Major Online Fraud Crackdown by Kerala Polic

286 Cybercriminals Arrested in Online Fraud and 61,361 Bank Accounts Frozen

daksh kataria July 11, 2025 0
Illustration of a cybercriminal defrauded a retired cop of ₹4 lakhs with two characters communicating through computers—one a policeman and the other a hacker.

A Cybercriminal Defrauded a Retired Cop of ₹4 Lakhs

daksh kataria July 9, 2025 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Louis Vuitton logo with headline about a cyber attack and UK data breach

Louis Vuitton Hit by a Cyber Attack; UK Customer Data Hacked

daksh kataria July 13, 2025 0
High-tech cyber forensics lab with multiple screens, highlighting efforts to tackle cybercrime

New Cyber Forensics Lab to Focus on Cybercriminals

daksh kataria July 13, 2025 0
Handcuffs image with news headline about digital arrest scam involving a retired HC judge

A digital arrest scam was made to extort money from a retired HC Judge

daksh kataria July 13, 2025 0
Fraud Victims Scammed Again in Cyber Fraud Case; One Arrested

Fraud Victims Now Twice Bitten As They Lost Money to ‘Cyber Fraud’, 1 Arrested

daksh kataria July 12, 2025 0
WhatsApp Fake Chats scam leads to ₹2 crore fraud and arrest of two criminals in Bengal

WhatsApp Fake Chats Caused 2 Crore Loss and 2 Criminals Arrested in Bengal

daksh kataria July 12, 2025 0
en_USEnglish
en_USEnglish
Open chat
Hello
Can we help you?