CompTIA PenTest+ Practice Test

What cybersecurity issue allows direct access to an internal implementation object without proper authorization?

• A. Weak password management
• B. Insecure direct object references (IDOR)
• C. Session fixation
• D. Cross-site request forgery (CSRF)

The correct answer is: Insecure direct object references (IDOR)

Insecure direct object references (IDOR) are a type of vulnerability that occurs when an application exposes internal implementation objects to users without sufficient authorization checks. This situation allows an attacker to access or manipulate data that they shouldn't have access to simply by knowing the internal identifiers (like file names, account numbers, or database keys) associated with those objects. IDOR exploits happen when developers do not properly validate whether a user has permission to access or modify the requested resource, leading to unauthorized access. For example, if a user can change a URL parameter to access another user's account or data, this indicates a direct object reference issue. In contrast, weak password management refers to insufficient policies for creating and maintaining passwords, which may lead to unauthorized access but does not specifically involve direct handling of object references within the application. Session fixation is a different attack where an attacker sets or manipulates a user's session ID to gain unauthorized access after the user logs in. Cross-site request forgery (CSRF) is a web security vulnerability that tricks a user into submitting a request without their consent, exploiting the authenticated state of the user. Each of these issues presents distinct challenges in cybersecurity, with IDOR specifically focusing on unauthorized access through internal references.