Account Takeover Series 3: Account Takeover through Insecure Direct Object Reference

What is Insecure Direct Object Reference?

Insecure Direct Object Reference or IDOR occurs when the application trusts the user input and takes sensitive action or shows sensitive information based on the same. This can be abused by an attacker to take sensitive action or dig out sensitive information from a victim’s account.

When an IDOR vulnerability is present in an application’s reset password functionality, the vulnerability can be exploited to update the user’s password, thus taking over the account of the victim user.

Vulnerable Application: Road

Attack Scenario: Marty is an attacker and he wants to take over the application’s admin account. The admin’s email id is previously known (admin@sky.thm).

Steps to Reproduce

  1. Log in to the application as the user Marty. Go to the reset user page and fill in the new password.


  1. Additionally, the user’s email address is provided to the application in the request.

  1. The supplied email id can be edited by the attacker to any desired value. Let us change the email to the admin’s email: admin@sky.thm, and pass the request.

  1. Next, you can see that the application responds successfully.

  1. Log out and try to login through the newly created credentials, admin@sky.thm:1234. Observe that the application shows a successful response and the attacker is logged in.


  1. The most common and easy method of prevention against IDOR is to not rely solely upon the user input. There should be a validation for the same in the backend logic.

  2. Strict access control should be enforced to limit the reference of objects outside of the intended permission.

Related Blogs

What is Account Take Over Attack (ATO)?

ATO Attack Series 1: Cross-Site Request Forgery Account Takeover

ATO Attack Series 2: Account Takeover through Password Reset Poisoning


Start Protecting your Credentials Today! Get in touch with CSW for Red Teaming and VMaaS services.

Share This Post On