How I Found a Simple IDOR Bug That Exposed Sensitive Data

Photo by charlesdeluvio

What exactly is IDOR?

IDOR, or Insecure Direct Object Reference, is a type of security vulnerability that occurs when an application provides direct access to objects based on user-supplied input, without proper authentication or authorization checks. This means that users can potentially access data or functions that they are not authorized to view or use by simply manipulating input values.

How IDOR Works

Here’s a basic example to illustrate how an IDOR vulnerability might be exploited:

Direct URL Access: Suppose a web application uses URLs to access user profiles like this:Here, userId=123 is a parameter that specifies which user's profile to display

2. Manipulating Input: If the application does not properly verify that the current user is allowed to access the profile of userId=123, a malicious user might change the URL parameter to:

This could grant them access to another user’s profile

Why IDOR is Dangerous

IDOR vulnerabilities can lead to severe security issues, including:

Unauthorized Access: Users can access data or functions they shouldn’t be able to.Data Leakage: Sensitive information can be exposed, leading to privacy breaches.Privilege Escalation: Attackers might gain higher levels of access than intended.

Here’s how the story goes
This is how I first discovered this bug. Actually, this bug was in a mobile application that has been on my phone for a long time, and I was curious about how this application processes data, whether user data is safely stored in their database.

Here, I only used two tools to test the application, namely Burp Suite and the MEmu Android emulator. I started by logging into the application with my user credentials and began clicking through all the features in the app. Then, I checked every request and response in Burp Suite.

I found an endpoint that potentially has an IDOR bug because there is an ID present.

This is the specific endpoint I discovered during my research

I conducted further testing by attempting to brute-force the last three digits of the user ID parameter. Surprisingly, the endpoint consistently responded with HTTP status code 200, indicating that it accepts and processes requests even with altered user IDs.

This is the result of a brute-force attack using an Intruder tool

When I checked the response, I obtained the full data of the user’s records.

This is the response from the request, which returned a status code of 200

This discovery highlights potential security implications related to Insecure Direct Object Reference (IDOR), emphasizing the importance of thorough security assessments and secure handling of user-sensitive data in web applications.

After discovering the bug, I immediately contacted the developers of the application.

TIPS

Click on every button and explore all features, then examine the requests and responses captured by Burp Suite. Understanding the workflow of an application is crucial for effective testing and identifying potential issues.