Description
The IDOR demo application lacks proper authorization checks, allowing users to access documents belonging to other tenants by manipulating document IDs.
Location
lesson-01/demo-04-custom-scanners/idor-app/api/documents.js
Attack Vector
# Authenticated as user1, can access user2's documents
GET /api/documents/user2-doc-id
Authorization: Bearer <user1-token>
Risk
- Severity: High
- OWASP: A1:2017 - Broken Access Control
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
Impact
- Unauthorized access to sensitive documents
- Data breach across tenant boundaries
- Potential for mass data exfiltration via ID enumeration
Remediation
Add authorization middleware to verify document ownership:
const authorizeDocumentAccess = async (req, res, next) => {
const doc = await Document.findById(req.params.id);
if (doc.ownerId !== req.user.id) {
return res.status(403).json({ error: 'Access denied' });
}
next();
};Note
This is intentionally vulnerable for training. Add documentation warning and ensure it's not accidentally deployed.
Description
The IDOR demo application lacks proper authorization checks, allowing users to access documents belonging to other tenants by manipulating document IDs.
Location
lesson-01/demo-04-custom-scanners/idor-app/api/documents.jsAttack Vector
Risk
Impact
Remediation
Add authorization middleware to verify document ownership:
Note
This is intentionally vulnerable for training. Add documentation warning and ensure it's not accidentally deployed.