IDOR & HTTP Security Headers

What is IDOR?
IDOR stands for Insecure Direct Object Reference. It is a security vulnerability that
occurs when an application allows direct access to internal objects or resources
(such as files, databases, or records) based on user-supplied input, such as IDs or
keys, without proper authorization checks. This can lead to unauthorized access to
sensitive data or actions that should be restricted to certain users or roles.

Let's explain IDOR with two examples:

Example 1: IDOR in File Access

Consider a web application that allows users to access their own profile pictures.
The URL structure looks like this:

https://example.com/profile?user_id=12345

Upon accessing this URL, the application retrieves the user's profile picture based on
the "user_id" parameter provided in the query string.

Exploiting the IDOR vulnerability:

An attacker, who is not authorized to access other users' profile pictures, tries to
exploit the application by changing the "user_id" parameter to another user's ID:

https://example.com/profile?user_id=54321
Impact of the exploit:

Due to the lack of proper authorization checks, the application fetches and displays
the profile picture associated with the user ID "54321," which does not belong to the
attacker. As a result, the attacker gains unauthorized access to the other user's
profile picture.

Example 2: IDOR in Data Access

Consider a web application that allows users to access their own order details by
providing an order ID. The URL structure looks like this:

https://example.com/order_details?order_id=7890

The application uses the "order_id" parameter to retrieve and display the order
details from the database.

Exploiting the IDOR vulnerability:

An attacker, who is not authorized to access other users' order details, attempts to
exploit the application by changing the "order_id" parameter to another order's ID:

https://example.com/order_details?order_id=1234

Impact of the exploit:

Due to the lack of proper authorization checks, the application fetches and displays
the order details associated with the order ID "1234," which does not belong to the
attacker. As a result, the attacker gains unauthorized access to sensitive information,
such as the products ordered, billing addresses, and payment details, belonging to
other users.

What is the impact of IDOR?

The impact of an IDOR (Insecure Direct Object Reference) vulnerability can vary
depending on the context. Generally speaking, an IDOR vulnerability can introduce a
risk for CIA (confidentiality, integrity, availability) of data 1. Here are some ways an
IDOR can impact the confidentiality, integrity, and availability of your organization’s
data:

● Confidentiality: A successful IDOR attack gives an attacker access to

something they shouldn’t be able to view. For instance, orders of arbitrary
users have been leaked2.
 ● Integrity: IDOR can allow an attacker to edit unauthorized resources2.
● Availability: Insecure direct object reference can impact availability2.

What is HTTP Security Headers?

HTTP security headers are response headers that web servers use to enhance the
security of web applications and protect them from various types of attacks. These
headers provide additional security measures and instruct the web browser on how
to handle and interact with the website's content. By setting appropriate security
headers, web developers can help mitigate common web application vulnerabilities
and enhance the overall security posture of their applications.

Let's explain some common HTTP security headers with examples:

1. Strict-Transport-Security (HSTS):
The Strict-Transport-Security header informs the browser that the website should
only be accessed over a secure HTTPS connection and should not be accessed via
HTTP. This helps prevent man-in-the-middle attacks and downgrade attacks.

Example:
Strict-Transport-Security: max-age=31536000;
includeSubDomains;

This header tells the browser to enforce HTTPS for the website and all its
subdomains for one year (max-age=31536000 seconds).

2. X-Content-Type-Options:
The X-Content-Type-Options header prevents the browser from MIME-sniffing
(interpreting the response as a different content type than specified) the content and
helps mitigate certain types of XSS (Cross-Site Scripting) attacks.
Example:
X-Content-Type-Options: nosniff

3. X-Frame-Options:

The X-Frame-Options header prevents the web page from being displayed within a
frame or iframe on another website, helping to prevent clickjacking attacks.

Example:
X-Frame-Options: DENY

4. Content-Security-Policy (CSP):

The Content-Security-Policy header allows the website to define a policy that

controls which resources (such as scripts, stylesheets, images, and fonts) the
browser can load or execute. It helps protect against XSS and data injection attacks.

Example:
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src
'self' 'unsafe-inline';

This CSP allows scripts to be executed only from the same domain (self), allows
inline scripts and styles, and allows images to be loaded from the same domain or
data URIs.

5. Referrer-Policy:

The Referrer-Policy header controls how much referrer information should be sent
when a user clicks on a link from one site to another. It helps protect the user's
privacy by limiting the information exposed in the referrer header.

Example:
Referrer-Policy: no-referrer

6. X-XSS-Protection:
The X-XSS-Protection header enables the built-in XSS protection of modern web
browsers. It helps block certain types of reflected XSS attacks.

Example:
X-XSS-Protection: 1; mode=block
These are just a few examples of common HTTP security headers. It's essential to
configure security headers appropriately based on the specific security requirements
of the web application. Implementing a strong set of security headers helps protect
web applications against various security threats and ensures a safer browsing
experience for users.

What are the different types of Security Headers that are

used in websites?
There are several different types of security headers that are commonly used in
websites to enhance security and protect against various types of attacks. Here are
some of the most common security headers:

1. Strict-Transport-Security (HSTS):
● Purpose: Instructs the web browser to access the website only over a secure
HTTPS connection and not over HTTP. This helps prevent man-in-the-middle
attacks and downgrade attacks.
● Example: `Strict-Transport-Security: max-age=31536000;
includeSubDomains; preload`

2. X-Content-Type-Options:
● Purpose: Prevents the browser from MIME-sniffing (interpreting the response
as a different content type than specified) the content. This helps mitigate
certain types of Cross-Site Scripting (XSS) attacks.
● Example: `X-Content-Type-Options: nosniff`

3. X-Frame-Options:
● Purpose: Prevents the web page from being displayed within a frame or
iframe on another website. This helps prevent clickjacking attacks.
● Example: `X-Frame-Options: DENY`

4. Content-Security-Policy (CSP):
● Purpose: Allows the website to define a policy that controls which resources
(such as scripts, stylesheets, images, and fonts) the browser can load or
execute. It helps protect against XSS and data injection attacks.
● Example: `Content-Security-Policy: default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src
'self' data:; style-src 'self' 'unsafe-inline';`

5. Referrer-Policy:
● Purpose: Controls how much referrer information should be sent when a user
clicks on a link from one site to another. It helps protect the user's privacy by
limiting the information exposed in the referrer header.
 ● Example: `Referrer-Policy: no-referrer`

6. X-XSS-Protection:
● Purpose: Enables the built-in XSS protection of modern web browsers. It
helps block certain types of reflected XSS attacks.
● Example: `X-XSS-Protection: 1; mode=block`

7. Content-Type:
● Purpose: Specifies the media type of the response content. Properly setting
the Content-Type header can help prevent certain types of attacks like MIME-
sniffing attacks.
● Example: `Content-Type: text/html; charset=UTF-8`

8. X-Content-Duration:
● Purpose: Specifies the duration (in seconds) the content should be
considered fresh. It can help prevent caching of sensitive data on the client-
side.
● Example: `X-Content-Duration: 300`

9. Feature-Policy:
● Purpose: Allows the website to control which web features are allowed or
restricted. It helps limit the potential attack surface by limiting access to
certain features.
● Example: `Feature-Policy: accelerometer 'none';
geolocation 'none'; microphone 'none';`

10. Expect-CT:
● Purpose: Enforces Certificate Transparency (CT) for the website's SSL
certificates, which helps detect misissued or malicious certificates.
● Example: `Expect-CT: max-age=86400, enforce, report-
uri="https://example.com/report"`

These are just a few examples of common security headers used in websites.
Implementing a strong set of security headers can help protect web applications
against various security threats and ensure a safer browsing experience for users.
Developers should carefully select and configure security headers based on their
specific security requirements and best practices.
Resources and References :
● Insecure Direct Object Reference (IDOR) - Intigriti
● IDOR explained - OWASP Top 10 vulnerabilities - thehackerish
● Insecure Direct Object Reference (IDOR) Vulnerability - GeeksforGeeks
● HTTP Headers - OWASP Cheat Sheet Series
● 8 HTTP Security Headers You Must Use To Enhance Security (wpoven.com)
● What Are HTTP Security Headers | Types Of HTTP Security Headers
(lipsonthomas.com)