Open In App

Insecure Direct Object Reference (IDOR) Vulnerability

Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisites: Burpsuite 

One of the most crucial Vulnerabilities listed in the top 10 of OWASP is Insecure Direct Object Reference Vulnerability (IDOR Vulnerability). In this article, we will discuss IDOR Vulnerability. Before moving ahead, let us first discuss Authentication. Authentication means verifying the identity of a person and allowing that person to access specific requests if the user is authenticated (verified). But if a user is not authenticated and can be able to view files i.e. open files in the wrong way as the Hackers/Attackers do?, it is called Broken Authentication. This article will focus on the way an attacker uses Broken Authentication Vulnerabilities that may lead to IDOR. 

What is an IDOR Vulnerability? 

In a web application, whenever a user generates, sends, or receives a request from a server, there are some HTTP parameters such as “id”, “uid”, “pid” etc that have some unique values which the user has been assigned. An attacker can see such parameter values in cookies, headers, or wifi Packet captures. Via this, an attacker might be able to tamper with these values and this tampering may lead to IDOR. 

IDOR vulnerability

 

Some of the examples that demonstrate the untrusted data which can be manipulated using IDOR:  

www.xyz.com/myaccount/uid=12
www.xyz.com/myaccount/uid=14
www.xyz.com/myaccount/uid=15
www.xyz.com/myaccount/uid=19

Here we can see that the uid in the URL seems to be vulnerable and can be tampered with by an attacker to break the authentication. 

Types of IDOR 

There are four types of IDOR as follows:

  1. Directory Traversal: Directory Traversal is also known as a Path Traversal attack where an attacker can access or manipulates the files and folders which should not be allowed to access publicly. If there is a Directory Traversal vulnerability exists in a web application then the attacker can easily able to see some sensitive files or folders such as images, themes, scripts, and so on. 
  2. Body Manipulation: Body Manipulation refers to changing or modifying the values in the body such as modifying the values of input fields, radio buttons, checkboxes, etc. 
  3. URL Tampering: URL Tampering refers to changing the parameter value of the URL. For example, let’s suppose there’s an example URL that may be something like ‘http://example.com/category/photos_id=1’. In this parameter, we are authorized to see the data of ID ‘1’. But if we could change the value from 1 to 2 such as ‘http://example.com/category/photos_id=2’, and if we could see the data of this particular URL, in such case it can be considered as URL Tampering. 
  4. Cookie ID Manipulation: Generally, cookies are used to store and exchange data between the client and server. It helps in identifying specific users and provides a good browsing experience to the user. In such cases, if there’s an IDOR vulnerability then there might be a possibility to manipulate a cookie ID. For example, there’s a cookie id in a web application that may be something like this _gid=123456 which is for user a, and another cookie id is _gid=789012 which is for user b. So, if user A can change the value of _gid and replace the ID of user b and can see any information which belongs to user b then there’s an IDOR. 

How do IDOR Vulnerabilities Get Executed? 

Let us first discuss the back-end working of a Web application that uses the unauthenticated medium in SQL, which leads to accessing user account information.  

String query = "SELECT * FROM 
accts WHERE account = ?";
PreparedStatement pstmt = 
connection.prepareStatement(query, ... );
pstmt.setString(1,
 request.getParameter("acct"));
ResultSet results = 
pstmt.executeQuery( );

In the above code, the attacker will modify the “accts” parameter in the web application and can enter multiple account numbers to retrieve the information. 

Steps Involved in the Execution of the IDOR Attack

Burp Suite Tool is widely used by attackers to execute such types of Attacks. Following are the steps being followed:  

  • Capture the Request: First of all, an attacker will decide on a target website to which he wants to execute an IDOR attack. Then the website is added to the scope and spider the website to get all the URLs with specific parameters in it.
  • Filter the parameters Request: After the first step, we will filter our captured request with the parameter filters. An attacker will only choose that parameter or Injection points where they can execute the attacks.
  • Forward request to Repeater: Now, if an attacker will find some of the injection points where they can execute IDOR, they will forward the request to the repeater. The vulnerable URL might look something like this: www.xyz.com/myaccount/uid=19. Here the “UID” seems to be vulnerable.
  • Tampering of Parameters: Now as the attacker has the vulnerable injection point, they will now try to execute the IDOR attack with the help of Social engineering or the pattern as written in the injection point. Example: an attacker may change uid from 19 to 20 which will open the account of another user who has been assigned id number 20.

Now, let’s demonstrate IDOR with a practical scenario. 

  • Visit https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references
  • After logging in click on access lab 
  • Now click on live chat. You’ll get to see a chatbot is connected. Now just randomly text anything to that chatbot

 

  • Now open the burp suite and capture the request to view the transcript.
  • In the burp suite go to the HTTP history tab and click on captured request of download transcript. 

 

  • Now send the request to the repeater and click on send. You can see your chat details there.

 

  • Now if you can observe the URL file after GET parameter it’s 4.txt. Let’s change the value to 1.txt and see what happens.

 

Now if you could observe the highlighted text in the response tab, it’s leaking the passwords. Let’s log in to the website by using this password and see if we could access this user. 

 

Now here we get access to the user dashboard and here we have successfully changed the email address. So it confirms that there’s IDOR vulnerability exists. 

Impacts of IDOR Vulnerability

  • Exposure of Confidential Information: When the attacker will have control over your account via this vulnerability, it is obvious that an attacker will be able to come across your personal information.
  • Authentication Bypass: As the attacker can have access to millions of accounts with this vulnerability, it will be a type of Authentication bypass mechanism.
  • Alteration of Data: An attacker may have privileges to access your data and alter it. By this, an attacker may have permission to make changes to your data, which may lead to the manipulation of records.
  • Account Takeover: While an attacker may have multiple access to user accounts just by changing the “UID” values, this will lead to account takeover vulnerability. When one vulnerability leads to another vulnerability(like in this case), It is known as the Chaining of BUGS.

Remediation of IDOR Vulnerability 

  • Developers should avoid displaying private object references such as keys or file names.
  • Validation of Parameters should be properly implemented.
  • Verification of all the Referenced objects should be done.
  • Tokens should be generated in such a way that they should only be mapped to the user and should not be public.
  • Use random identifiers so that it will be a little bit hard to guess for attackers. 
  • Validation of user input should be properly implemented.


Last Updated : 03 Feb, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads