Introduction to IDOR

Introduction to IDOR
Hello All, In this post I will provide you an overview about how to exploit IDOR vulnerability.
What is IDOR? 
IDOR:(Insecure direct object references)
Due to improper validation of userid at Server side leads to Change of content.
OR
without any validation mechanism which allows attackers to manipulate these references to access unauthorized data
OR
A user can successfully request access to a webpage, a data object, or a file that they should not have access to.


IDOR Attack Scenario:
Case 1:
Deleting other user content:
1)Victim post something on website which has a unique ID
Eg: 19
Attacker:
1)Attacker creates a post which has a unique ID of 22.
2)He tries to delete his post by intercepting his deleting request.
3)In request, Change ID from 22 to 19 which results deletion of victim post.

Case 2:
Changing other user profile picture:
Attacker:
1)Intercept the upload image request and find the Unique User ID of attacker.
2)Change the ID of attacker to victim ID.
3)Victim profile picture gets updated.
 
Case 3:
Directory Traversal
The path of the file is displayed in 'the current directory is' field - C:\Users\userName$\.extract\webapps\WebGoat\lesson_plans\en and we also know that the tomcat-users.xml file is kept under C:\xampp\tomcat\conf
 
--Use the Directory traversal attack ../../../../../../../xampp/tomcat/conf/tomcat-users.xml


Proof of concept(Steps to Reproduce)
  1. Create 2 accounts
  2. start intercepting the requests
  3. add a course in one account and look at the response of the POST request that is made to add this course. It is a number.
  4. Now go to the other account also make a course.
  5. Edit this course, and capture the POST of the request that is made to edit the course.
  6. Repeat the request but change the "id" parameter to the id the course that was made in the other account.
  7. reload the page
  8. The course got removed from the creator's account and was inserted into the account of the attacker.

IDOR Examples:
  • IDOR is in a URL parameter.
http://mybank/customer/27
Change 27 to 26.
  • IDOR is in a query parameter.
http://mycompany/reviews?employee=jsmith

Change jsmith to john.
If your website has an admin page with a URL
http://mywebsite/admin

--see what happens if you log in as a non-admin user and then manually change the URL to point to the admin page.  If you can get to the admin page, you have found another instance of IDOR.

Session management consist of 2 parts:-
1)Authentication answers
“WHO AM I?”
2)Authorization answers
“WHAT CAN I DO?”


IDOR Variables: ID, PID, UID can be found in HTTP parameter, header & cookie.
If ID is not a number like 1,2,3 and it’s a hash value then try  decoding the encoded value
Access hashed value in “Referrer“ header, so scenarios such as changing ID can be replicated.
Eg:
Create 2 test accounts as X and Y, then try to X’s hashed id value in Y’s requests in Burp History. To find the inject point in this request, you can use Burp Suite’s compare tool


Using BurpSuite to Find IDOR
1)Click “Send to Intruder.”
2)Select Positions tab
3)Next, go to the “Payloads” tab.
4)Once you have tailored your attack, click the “Start Attack” Button.

Eg:
In this example we are using the numbers 1-1000 in increments of 1.(payload)
PAYLOADALLTHETHINGS:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References#tools

Prevention:
1)If your “privatesection” endpoint includes the API requests such as “/api/privatesection/admins”, “/api/privatesection/console”, “/api/privatesection/tokens”, you can block the endpoint for non-admin users.

2)Access control is the key to solving IDOR. When a user requests a specific record, make sure they are authorized to view the requested record.

Takeways:
1- Try to test your target from time to time.
2- Don’t trust the response , getting an error doesn’t mean it’s the end :)

Feel free to provide me the feedback. Thanks for reading and I hope you enjoyed it.

Comments

Post a Comment

Popular posts from this blog

API Information Disclosure

Image
API Information Disclosure Hello All, In this post I will provide you an overview about how to exploit Broken Object Level Authorization vulnerability. Definition: Attackers substitute the ID of their own resource in the API call with an ID of a resource belonging to another user. The lack of proper authorization checks allows attackers to access the specified resource. This attack is also known as IDOR (Insecure Direct Object Reference). OR APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user. Lets say our vulnerable website is target[.]com Steps I did to takeover all the accounts on the test platform. Since I was already registered user on the target website. I did functionality check of the reset password feature. Reset Password Function I added my email id and user id  and int
Read more

My OSCP Journey - A Review

Image
My OSCP Journey - A Review Pre-Preparation: Hello All, In this post I will provide you an overview about my OSCP journey. In order t o gain some hands-on experience before enrolling, I started practicing on HackTheBox platform. Having done around 50 boxes, I finally felt ready to enroll into the PEN-200.  I would suggest try to complete each and every box from the list mentioned below, before enrolling as your pre-preparation work. OSCP Like boxes:   TJnull’s Preparation Guide for PWK/OSCP I enrolled for OSCP and completed all the PWK exercises and labs within 45 days. After completing all the coursework, I started preparing my notes in structured and organized way. The advice for you here is to make your own notes as it would really help you in your OSCP exam, you’ll thanks yourself later! What is important in doing all this is "BUILDING YOUR METHODOLOGY." Build Your Own Methodology If you have the time, I would strongly recommend completing TJ_Null’s list of HackTheBox
Read more