Why UUIDs won't protect your secrets UUIDs and Indirect Object Reference By Robert Alexander 2025-10-19
This post is part of a collection on UUIDs.
What is IDOR?
Indirect Object Reference (IDOR) occurs when a resource can be accessed directly by its ID even when the user does not have proper authorization to access it. IDOR is a common mistake when using a separate service for storing files, such as a publicly readable Amazon S3 bucket. The web application may perform access control checks correctly, but the storage service does not.
Here’s vulnerable Django code which allows a user to view their latest billing statement:
# Vulnerable! @login_required def view_latest_bill(request): bill = Bill.objects.filter(owner=request.user).order_by("date").desc()[0] url = f'https://example.us-east-1.s3.amazonaws.com/bill-{bill.id}' return render(request, 'template.html', { url: url })
While Django ensures the user is logged in and only provides them with bills they own, S3 has no concept of Django users, and performs no such authorization checks.
A simple attack would start from a known URL and increment the bill ID:
$ curl https://my-bucket.us-east-1.s3.amazonaws.com/bill-100 [ attacker sees their own bill ] $ curl https://my-bucket.us-east-1.s3.amazonaws.com/bill-101 [ attacker sees another user's bill ]
The attacker can keep trying bill IDs, potentially accessing the entire collection of bills.
... continue reading