High An Insecure Direct Object Reference (IDOR) vulnerability allows a user to access or modify resources they do not have permission for by manipulating an object identifier (e.g., user ID, record ID, file ID) in a request.
This exposes sensitive data and enables unauthorized actions.
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| https://uatamrit.piramalswasthya.org/flw-api/user/getUserDetail?userId=974 | IDOR | CWE-284 | 7.5 | High | The application fails to enforce proper authorization checks on object references, allowing attackers to directly access resources belonging to other users. By modifying parameter in the request, attackers can retrieve the sensitive information such as PAN, Mobile number, email , profile pictures etc of arbitrary users without their consent. This results in unauthorized exposure of user data and constitutes an Insecure Direct Object Reference (IDOR) vulnerability. | Successful exploitation allows an attacker to gain unauthorized access to personal user information. | It is recommended to implement strict server-side authorization checks for every request, ensuring that users can only access their own resources. Object references (such as user IDs) should always be validated against the currently authenticated user. Additionally, indirect references (e.g., mapping IDs to opaque tokens) can be used to prevent direct access to sequential identifiers. Regular access control testing should be part of the development lifecycle to identify and mitigate such flaws. | https://owasp.org/Top10/A01_2021-Broken_Access_Control/ | Step 1: During security assessment, we modified the value of path and query parameters of the requests to another valid value which pointed to other users. Step 2: It was observed that the sensitve information of the victim user account was successfully retrieved without authorization. |
