What is an Insecure Direct Object Reference (IDOR) Risk?

 IDOR stands for Insecure Direct Object Reference occurring when an application displays an indication of an internal object in an unsafe manner. Whenever a user generates, sends an HTTP request, or receives a request from a server, there are parameters such as “ID”, “UID”, “PID” etc. that have certain unique values that the user has been assigned. An attacker may detect such parameter values in HTTP paths, cookies, and headers. With this, the attacker can tamper with other privileges of user data and this interference can lead to Insecure Direct Object Reference.

Insecure Direct Object Reference (IDOR) Flow

Figure 1: IDOR Flow

What are HTTP methods and what are they used for?

HTTP defines a set of request methods to indicate the desired action to be used for a given service. In simple terms “It is a method of communication between server-side and client-side”

HTTP Methods

Figure 1.1: HTTP Methods

In general, Insecure Direct Object Reference (IDOR) has three types of attack vectors:

  • Body Manipulation. Attackers can change the value of the input box, radio buttons, and form fields. This allows them to access other users’ information more easily.
  • URL Tampering. The URL is changed at the client-side by tempering parameters on the HTTP request. HTTP GET and POST actions are often at risk of URL tampering attacks that lead to IDOR attacks in applications.
  • JSON IDs manipulation.
    • APIs and small services that will work with a structured data format like JSON may be vulnerable to IDOR flaws and errors.
    • To read other users’ data, especially if they rely on some obvious form of a session to validate applications.

 

Here we can see how Insecure Direct Object Reference (IDOR) works in the modern web application, we test PortSwigger lab for this attack.

This is the official URL: https://acc91f8f1f83a99b805b1001001c0052.web-security-academy.net to access the lab.

Insecure Direct Object Reference works in the modern web application

For solving this lab, we need to get the password of CARLOS via IDOR vulnerability.

 

  1. Click on the live chat button.

Click on live chat button.

  1. Click on the send button and observe messages.

Click on send button and observe messages.

  1. Click on view transcript and capture the request in Burpsuite.

Click on view transcript and capture the request in Burpsuite

  1. Forward this request.

Forward this request.

  1. After forward we will get this endpoint path /download-transcript/3.txt

After forward we will get this endpoint path download-transcript txt

  1. Change the endpoint path 3.txt to 1.txt and forward it.

Change the endpoint path 3.txt to 1.txt and forward it.

  1. Now as we can see we are successfully able to download the 1.txt file of CARLOS.

Now as we can see we are successfully able to download the 1.txt file of CARLOS.

  1. Open this txt file and we can see the CARLOS password in it.

Open this txt file and we can see the CARLOS password in it.

  1. Now try to login with CARLOS account using this password.

Now try to login with CARLOS account using this password.

  1. As you can see, I am successfully able to login into the CARLOS account and solved the challenge.

As you can see, I am successfully able to login into the CARLOS account and solved the challenge.

 

Impact of the Vulnerability:

  • As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.
  • Such resources can be database entries belonging to other users, files in the system, etc.
  • An attacker can steal sensitive information from unrestricted directories and use this to craft other attacks.

 

Mitigation of the vulnerability: 

  • Engineers should avoid showing references to secret objects such as keys or file names.
  • Parameter validation should be used correctly.
  • Verification of all indicated items must be done and implement Authentication/Authorization in the application.
  • Tokens should be generated in such a way that they should be edited to the user only and should not be public.

 

References: 

 

Author,

Rituraj Vishwakarma

Attack & PenTest Team

Varutra Consulting Pvt. Ltd