Advanced IDOR Exploitation: Discovering Hidden Vulnerabilities Through Delayed Object Creation

IDOR vulnerabilities are commonly found in web applications and allow attackers to access or manipulate resources they shouldn’t have access to. While most IDOR issues are straightforward, here’s a lesser-known method that involves exploiting a timing window during object creation where access controls may not be fully applied.

1. Trigger Object Creation

Identify features in the application where objects are created in multiple steps. These could be things like:

New user accountsOrders in an e-commerce systemRequests for services or resources (e.g., tickets, support requests)

Start the process of creating an object by interacting with the relevant feature, such as submitting a form, adding an item to a cart, or initiating a sign-up process.

2. Delay Finalization

Once you’ve triggered object creation, delay the final step of the process. This can be done by:

Intentionally slowing down the submission of the final step (e.g., using a proxy like Burp Suite to delay or throttle requests).Uploading large files or selecting actions that take time to complete (e.g., choosing a payment method that has additional verification steps).

By doing this, the object is left in a partially completed state, potentially leaving it vulnerable to manipulation.

3. Monitor Responses and Intercept Object IDs

While the object is being created but not fully finalized, pay close attention to the responses from the server. Intercept these responses using Burp Suite or a similar tool, and look for:

Exposed object references (IDs, GUIDs, or resource URLs) that are being sent back.Any references to user IDs, order IDs, or resource IDs that may be leaking during this intermediate state.

4. Manipulate Object IDs (IDOR Exploit)

Once you’ve identified object IDs, attempt to manipulate the object ID to access or modify resources that belong to other users. This might involve:

Changing the object ID in a request to another user’s ID.Modifying parameters such as a user ID, ticket ID, or other identifiers that link objects to users.

If the application is only enforcing access controls at the end of the object creation process, you might be able to interact with the object before the full access control check kicks in.

5. Chain the Attack for Maximum Impact

After identifying a vulnerable object ID, try chaining actions to modify, delete, or escalate privileges on the object. For example:

Gain access to another user’s order details during the checkout process.Modify shipping addresses, product selections, or other sensitive information before the order is finalized.Exploit IDOR in partially created accounts to take over other users’ profiles.

Most developers assume that access control is properly applied as soon as an object is created. However, in many applications, the enforcement of access controls is delayed until the process completes. This leaves a small window of opportunity where an attacker can access or manipulate the object before the access control mechanisms take full effect.

By targeting this delayed lifecycle, you can find IDOR vulnerabilities that only appear under specific conditions, making them harder to detect using traditional testing methods.