This is Muhammad Asim Shahzad a.k.a “protector47”
Today I will discuss one of my interesting finding “Insecure Direct Object Reference lead to Unauthorize Data Access”
What is IDOR?
An insecure direct object reference (IDOR) is an access control vulnerability where unvalidated user input can be used for unauthorized access to resources or operations. IDORs can have serious consequences for cybersecurity and be very hard to find, though exploiting them can be as simple as manually changing a URL parameter. Here’s your pocket guide to insecure direct object references.
An insecure direct object reference vulnerability occurs when the following three conditions are met:
- The application reveals a direct reference to an internal resource or operation.
- The user is able to manipulate a URL or form parameter to modify the direct reference.
- The application grants access to the internal object without checking if the user is authorized.
- Obtaining unauthorized data access: Exposed object references may reveal direct database IDs, allowing attackers to retrieve database records containing sensitive information. Database key names and values can also be used to prepare SQL injection payloads.
- Performing unauthorized operations: By manipulating unvalidated user ID values, command names, or API keys, attackers can execute unauthorized operations in the application. Examples could include forcing a password change to take over a user’s account, executing administrative commands to add users or escalate privileges, and getting access to paid-for or rate-limited application APIs or features.
- Manipulating application objects: Access to internal object references can allow unauthorized users to change the internal state and data of the application. As a result of this vulnerability, attackers might tamper with session variables, for example, to alter data, elevate privileges, or access restricted functionality.
- Getting direct access to files: Typically combined with path traversal, this type of IDOR lets attackers manipulate file system resources. This could allow them to upload files, manipulate other users’ data, or download paid content for free.
How I discover vulnerability?
Information gathering and specially Parameter brute-forcing is always something that takes you next level or reveals something unexpected.
I was testing a website, let's assume www.abc.com (I’m bound to disclose the program name because it was a private program)
I was looking for a high severity vulnerability because the program was old and I knew the common issue will not be rewarded or it will become duplicate.
I tried everything like XSS, SQLi, and other manipulations but unable to find anything in the application. The application was quite secure or I don’t have enough skills :-)
After enough fuzzing and enumeration, I started Bruteforce hidden parameters. The endpoint was: https://www.abc.com/users/account/
Use Arjun and Parameth for parameter brute-forcing:
Arjun enumerated a parameter for me which is “?id=”
My ID was 6781 and when I change the user ID from 6781 to 6780, I accessed some other user’s data. Shit!!!
THAT WAS TOO SIMPLE :D
It was simple but hard to discover that hidden parameter….
$1,500 was rewarded.
Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.