Leveraging Burp Suite extension for finding IDOR(Insecure Direct Object Reference).

3 years ago 180
BOOK THIS SPACE FOR AD
ARTICLE AD

Dhanush

IDOR is one of the common vulnerabilities found in bug bounty websites. Let's see how to easily catch them.

Autorize Extension in action

If you are not familiar with IDOR, then here is a quick refresher.

IDOR is a type of access control vulnerability, where the system uses the user input to access objects or resources. When a user can modify the reference that is used to access an internal object/resource that is restricted to that user, IDOR arises.

Let’s me put it in simple words with an example.

Let’s say that a school system uses a student’s unique number to retrieve personal information about the particular student. If a student provides a different unique number and retrieves info about a different student, it is an example of IDOR. Normally, the system will provide a way to limit the access for each user to his/her information. But when it doesn’t, IDOR vulnerability arises.

Autorize Extension

Let me tell you two of the most used extensions in finding IDOR.

Autorize

This free-to-use burp extension could be the most popular tool when it comes to finding IDOR. Finding IDOR is a time-consuming task as you should check every resource present on the website. You should check the resources of a high-privileged user with the cookie details of a low-privileged one. And, Autorize helps you to do just that easily.

How to use it to find IDOR?

You should first feed the cookie details of a low-privileged/different user in the Autorize extension.Then roam and get different resources on the vulnerable website as a high-privileged user using your browser with burp connected.For every request you make with the high-privileged user on the site, the Autorize extension repeats the same request with the given low-privileged cookie.Finally, you can check on the Autorize extension if any privileged resources have been accessed with low-privileged cookie requests. If it does, you get an IDOR.

Autorize extension makes the task of requesting resources with different privileged users easy. Without this extension, you’d have to manually change the cookie detail on the browser. So this extension should be on your belt if you are looking for IDOR.

Multi-Account containers — Firefox Container

Multi-Account Containers

Multi-Account container is a free-to-use Firefox extension that lets you have separate tabs for different use. You can create multiple color-coded Firefox tabs using this extension. When you visit a site using one colored tab, the session data, cookie data, site preference, and ad-tracking data will be kept to that particular color tabs. These data will not be shared with other tabs of Firefox. It lets you separate your work, shopping, or personal browsing from each other.

Though this extension does not directly help to find IDOR, it helps to separate cookie data for different users in different colored tabs.

acc1, acc2 are the two container tabs that I use for finding IDOR

How it is used in IDOR?

Create two different containers(colored-tabs) for different users that you intend to find the IDOR with.In one container, you browse the vulnerable website as a low-privileged user and as a high-privileged user in another one.The two containers separates the data of two different users from each other and the rest of your browser session.

You should use this feature in conjunction with the Autorize extension. These two will help you catch the IDOR more easily and quickly.

IDOR is my favorite kind of vulnerability, and I exclusively use only these two extensions in finding it. I have had success in finding IDOR using these two. If you are new to bug bounty, then you should start with finding IDOR using these extensions.

Follow me for more technical posts and give the post some claps if you find it useful.

Pro tip: You can 👏 up to 50 times on a post to show how much you liked it.

Read Entire Article