{"id":67819,"date":"2025-10-10T13:31:44","date_gmt":"2025-10-10T08:01:44","guid":{"rendered":"https:\/\/vajiramandravi.com\/current-affairs\/?p=67819"},"modified":"2025-10-11T13:12:52","modified_gmt":"2025-10-11T07:42:52","slug":"insecure-direct-object-reference-idor","status":"publish","type":"post","link":"https:\/\/vajiramandravi.com\/current-affairs\/insecure-direct-object-reference-idor\/","title":{"rendered":"Insecure Direct Object Reference (IDOR)"},"content":{"rendered":"<h2><b>Insecure Direct Object Reference Latest News<\/b><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">A serious data leak was narrowly avoided after the Indian government fixed a major security flaw known as an IDOR, or \u201cinsecure direct object reference,\u201d in its income tax e-filing portal. <\/span><\/p>\n<h2><b>About Insecure Direct Object Reference\u00a0<\/b><\/h2>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">It is a <\/span><b>web application security vulnerability<\/b><span style=\"font-weight: 400;\"> that occurs when an <\/span><b>application exposes internal object identifiers,<\/b><span style=\"font-weight: 400;\"> such as database keys or file paths, <\/span><b>to users without proper access controls.<\/b><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">It can<\/span><b> enable attackers to manipulate these identifiers and gain unauthorized access to sensitive data <\/b><span style=\"font-weight: 400;\">or<\/span><b> perform unauthorized action<\/b><span style=\"font-weight: 400;\">s on the system.\u00a0<\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">IDOR vulnerabilities <\/span><b>arise due to inadequate validation and authorization checks <\/b><span style=\"font-weight: 400;\">on user-supplied input, which may <\/span><b>allow malicious users to bypass intended access restrictions.<\/b><\/li>\n<li style=\"text-align: justify;\"><b>How does it happen?<\/b>\n<ul>\n<li style=\"text-align: justify;\"><b>Websites often want to serve different content to different users:<\/b><span style=\"font-weight: 400;\"> for example, a shopping website might let each user view their purchase history.\u00a0<\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Websites can <\/span><b>identify users by authenticating them<\/b><span style=\"font-weight: 400;\">, using a method such as a password or a passkey.\u00a0<\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Often,<\/span><b> once a website has authenticated a user, they will set a session cookie<\/b><span style=\"font-weight: 400;\"> in <\/span><b>that user&#8217;s browser<\/b><span style=\"font-weight: 400;\">: then, <\/span><b>when the user makes a request, the server will know <\/b><span style=\"font-weight: 400;\">that the request came from this authenticated user.<\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">However, as well as checking that the request came from an authenticated user, <\/span><b>the server must implement access control for the resources that the user requests:<\/b><span style=\"font-weight: 400;\"> that is, they must check that this user is allowed to access the specific resource requested.\u00a0<\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">For example, each authenticated user must only be allowed to see their own purchase history.<\/span><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">I<\/span><b>f a server does not implement access control for resources, then an attacker <\/b><span style=\"font-weight: 400;\">who is signed into the site <\/span><b>may be able to access the resources belonging to a different user.\u00a0<\/b><\/li>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">This is <\/span><b>called an Insecure Direct Object Reference (IDOR) attack.<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><b>Source<\/b><span style=\"font-weight: 400;\">: <\/span><strong><a href=\"https:\/\/www.indiatoday.in\/technology\/news\/story\/massive-data-leak-risk-averted-government-fixes-major-flaw-in-income-tax-portal-2799776-2025-10-08\" target=\"_blank\" rel=\"nofollow noopener\">IT<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Insecure Direct Object Reference is a web application security vulnerability that occurs when an application exposes internal object identifiers, such as database keys or file paths, to users without proper access controls. Read more about Insecure Direct Object Reference (IDOR), Vulnerabilities, Latest News.<\/p>\n","protected":false},"author":23,"featured_media":67795,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[3173],"class_list":{"0":"post-67819","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-upsc-prelims-current-affairs","8":"tag-insecure-direct-object-reference","9":"no-featured-image-padding"},"acf":[],"_links":{"self":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/posts\/67819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/comments?post=67819"}],"version-history":[{"count":0,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/posts\/67819\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/media\/67795"}],"wp:attachment":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/media?parent=67819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/categories?post=67819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/tags?post=67819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}