Professional Documents
Culture Documents
IDOR and HTTP Security Headers
IDOR and HTTP Security Headers
What is IDOR?
IDOR stands for Insecure Direct Object Reference. It is a security vulnerability that
occurs when an application allows direct access to internal objects or resources
(such as files, databases, or records) based on user-supplied input, such as IDs or
keys, without proper authorization checks. This can lead to unauthorized access to
sensitive data or actions that should be restricted to certain users or roles.
Consider a web application that allows users to access their own profile pictures.
The URL structure looks like this:
https://example.com/profile?user_id=12345
Upon accessing this URL, the application retrieves the user's profile picture based on
the "user_id" parameter provided in the query string.
An attacker, who is not authorized to access other users' profile pictures, tries to
exploit the application by changing the "user_id" parameter to another user's ID:
https://example.com/profile?user_id=54321
Impact of the exploit:
Due to the lack of proper authorization checks, the application fetches and displays
the profile picture associated with the user ID "54321," which does not belong to the
attacker. As a result, the attacker gains unauthorized access to the other user's
profile picture.
Consider a web application that allows users to access their own order details by
providing an order ID. The URL structure looks like this:
https://example.com/order_details?order_id=7890
The application uses the "order_id" parameter to retrieve and display the order
details from the database.
An attacker, who is not authorized to access other users' order details, attempts to
exploit the application by changing the "order_id" parameter to another order's ID:
https://example.com/order_details?order_id=1234
Due to the lack of proper authorization checks, the application fetches and displays
the order details associated with the order ID "1234," which does not belong to the
attacker. As a result, the attacker gains unauthorized access to sensitive information,
such as the products ordered, billing addresses, and payment details, belonging to
other users.
1. Strict-Transport-Security (HSTS):
The Strict-Transport-Security header informs the browser that the website should
only be accessed over a secure HTTPS connection and should not be accessed via
HTTP. This helps prevent man-in-the-middle attacks and downgrade attacks.
Example:
Strict-Transport-Security: max-age=31536000;
includeSubDomains;
This header tells the browser to enforce HTTPS for the website and all its
subdomains for one year (max-age=31536000 seconds).
2. X-Content-Type-Options:
The X-Content-Type-Options header prevents the browser from MIME-sniffing
(interpreting the response as a different content type than specified) the content and
helps mitigate certain types of XSS (Cross-Site Scripting) attacks.
Example:
X-Content-Type-Options: nosniff
3. X-Frame-Options:
The X-Frame-Options header prevents the web page from being displayed within a
frame or iframe on another website, helping to prevent clickjacking attacks.
Example:
X-Frame-Options: DENY
4. Content-Security-Policy (CSP):
Example:
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src
'self' 'unsafe-inline';
This CSP allows scripts to be executed only from the same domain (self), allows
inline scripts and styles, and allows images to be loaded from the same domain or
data URIs.
5. Referrer-Policy:
The Referrer-Policy header controls how much referrer information should be sent
when a user clicks on a link from one site to another. It helps protect the user's
privacy by limiting the information exposed in the referrer header.
Example:
Referrer-Policy: no-referrer
6. X-XSS-Protection:
The X-XSS-Protection header enables the built-in XSS protection of modern web
browsers. It helps block certain types of reflected XSS attacks.
Example:
X-XSS-Protection: 1; mode=block
These are just a few examples of common HTTP security headers. It's essential to
configure security headers appropriately based on the specific security requirements
of the web application. Implementing a strong set of security headers helps protect
web applications against various security threats and ensures a safer browsing
experience for users.
1. Strict-Transport-Security (HSTS):
● Purpose: Instructs the web browser to access the website only over a secure
HTTPS connection and not over HTTP. This helps prevent man-in-the-middle
attacks and downgrade attacks.
● Example: `Strict-Transport-Security: max-age=31536000;
includeSubDomains; preload`
2. X-Content-Type-Options:
● Purpose: Prevents the browser from MIME-sniffing (interpreting the response
as a different content type than specified) the content. This helps mitigate
certain types of Cross-Site Scripting (XSS) attacks.
● Example: `X-Content-Type-Options: nosniff`
3. X-Frame-Options:
● Purpose: Prevents the web page from being displayed within a frame or
iframe on another website. This helps prevent clickjacking attacks.
● Example: `X-Frame-Options: DENY`
4. Content-Security-Policy (CSP):
● Purpose: Allows the website to define a policy that controls which resources
(such as scripts, stylesheets, images, and fonts) the browser can load or
execute. It helps protect against XSS and data injection attacks.
● Example: `Content-Security-Policy: default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src
'self' data:; style-src 'self' 'unsafe-inline';`
5. Referrer-Policy:
● Purpose: Controls how much referrer information should be sent when a user
clicks on a link from one site to another. It helps protect the user's privacy by
limiting the information exposed in the referrer header.
● Example: `Referrer-Policy: no-referrer`
6. X-XSS-Protection:
● Purpose: Enables the built-in XSS protection of modern web browsers. It
helps block certain types of reflected XSS attacks.
● Example: `X-XSS-Protection: 1; mode=block`
7. Content-Type:
● Purpose: Specifies the media type of the response content. Properly setting
the Content-Type header can help prevent certain types of attacks like MIME-
sniffing attacks.
● Example: `Content-Type: text/html; charset=UTF-8`
8. X-Content-Duration:
● Purpose: Specifies the duration (in seconds) the content should be
considered fresh. It can help prevent caching of sensitive data on the client-
side.
● Example: `X-Content-Duration: 300`
9. Feature-Policy:
● Purpose: Allows the website to control which web features are allowed or
restricted. It helps limit the potential attack surface by limiting access to
certain features.
● Example: `Feature-Policy: accelerometer 'none';
geolocation 'none'; microphone 'none';`
10. Expect-CT:
● Purpose: Enforces Certificate Transparency (CT) for the website's SSL
certificates, which helps detect misissued or malicious certificates.
● Example: `Expect-CT: max-age=86400, enforce, report-
uri="https://example.com/report"`
These are just a few examples of common security headers used in websites.
Implementing a strong set of security headers can help protect web applications
against various security threats and ensure a safer browsing experience for users.
Developers should carefully select and configure security headers based on their
specific security requirements and best practices.
Resources and References :
● Insecure Direct Object Reference (IDOR) - Intigriti
● IDOR explained - OWASP Top 10 vulnerabilities - thehackerish
● Insecure Direct Object Reference (IDOR) Vulnerability - GeeksforGeeks
● HTTP Headers - OWASP Cheat Sheet Series
● 8 HTTP Security Headers You Must Use To Enhance Security (wpoven.com)
● What Are HTTP Security Headers | Types Of HTTP Security Headers
(lipsonthomas.com)