LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is Broken Access Control and what are IDOR and Path Traversal attacks?

Broken Access Control = a user reaching data/actions they shouldn't. IDOR is tampering with an object ID (e.g. ?accountId=12341235) to reach another user's object; path traversal is using ../ to climb out of an allowed directory into a forbidden one.

IDOR attack flow: the attacker increments the account id; because the query never checks ownership, the victim's record is returned — the fix adds an owner_id check.

* IDOR: without an ownership check, incrementing the id leaks another user's record; adding AND owner_id = current user denies it. *

Insecure Direct Object Reference (IDOR):

  • Application uses user-supplied input to access objects directly
  • Example: https://example-bank.com/account/details?accountId=1234
  • Attack: Change 1234 to 1235 to access another user's account

Vulnerable code (no ownership check):

String query = "SELECT * FROM accts WHERE account = ?";
pstmt.setString(1, request.getParameter("acct"));
// No check if user owns this account!

Fixed code (ownership enforced):

String query = "SELECT * FROM accts WHERE account = ? AND owner_id = ?";
pstmt.setString(1, request.getParameter("acct"));
pstmt.setString(2, currentUser.getId());  // Only return if user owns it

Path Traversal:

  • MANAGER can access /managers/*, USER only /users/*
  • Attack: USER requests /users/../managers/salaries.xhtml
  • The ../ navigates up one directory, bypassing the path-based access control
  • Result: Unauthorized access to manager resources

Go deeper:

From Quiz: SPRG / Authorization | Updated: Jul 05, 2026