General Information

Insecure Direct Object Reference

Variants:
Direct Persistent Session 

Also Known As:
Insufficient Authorization, Authorization Bypass Through User-Controlled Key, Resource Injection

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Privilege Validation

Invented In:
01/01/1999

Added In:
09/12/2014

Quick Introduction to the Topic:


Vector Operation Method:
Attackers can gain access to restricted content by manipulating user-controlled resource identifiers originating from the client-side


Direct Variant:

Insecure Direct Object Reference

Also Known As:
Resource Injection

Typical Severity:
Major

Learn More:





Persistent Variant:

Stored Insecure Direct Object Reference

Also Known As:
Persistent Insecure Direct Object Reference

Typical Severity:
Major

Resources:

White Papers:

Learn More:


Session Variant:

Insecure Direct Object Reference via Session Poisoning

Also Known As:
Session Insecure Direct Object Reference

Typical Severity:
Major

Resources:

White Papers:

Learn More: