Open In App

Insecure Direct Object Reference (IDOR) Vulnerability

Prerequisites: Burpsuite 

One of the most crucial Vulnerabilities listed in the top 10 of OWASP is Insecure Direct Object Reference Vulnerability (IDOR Vulnerability). In this article, we will discuss IDOR Vulnerability. Before moving ahead, let us first discuss Authentication. Authentication means verifying the identity of a person and allowing that person to access specific requests if the user is authenticated (verified). But if a user is not authenticated and can be able to view files i.e. open files in the wrong way as the Hackers/Attackers do?, it is called Broken Authentication. This article will focus on the way an attacker uses Broken Authentication Vulnerabilities that may lead to IDOR. 

What is an IDOR Vulnerability? 

In a web application, whenever a user generates, sends, or receives a request from a server, there are some HTTP parameters such as “id”, “uid”, “pid” etc that have some unique values which the user has been assigned. An attacker can see such parameter values in cookies, headers, or wifi Packet captures. Via this, an attacker might be able to tamper with these values and this tampering may lead to IDOR. 

 

Some of the examples that demonstrate the untrusted data which can be manipulated using IDOR:  

www.xyz.com/myaccount/uid=12
www.xyz.com/myaccount/uid=14
www.xyz.com/myaccount/uid=15
www.xyz.com/myaccount/uid=19

Here we can see that the uid in the URL seems to be vulnerable and can be tampered with by an attacker to break the authentication. 

Types of IDOR 

There are four types of IDOR as follows:

  1. Directory Traversal: Directory Traversal is also known as a Path Traversal attack where an attacker can access or manipulates the files and folders which should not be allowed to access publicly. If there is a Directory Traversal vulnerability exists in a web application then the attacker can easily able to see some sensitive files or folders such as images, themes, scripts, and so on. 
  2. Body Manipulation: Body Manipulation refers to changing or modifying the values in the body such as modifying the values of input fields, radio buttons, checkboxes, etc. 
  3. URL Tampering: URL Tampering refers to changing the parameter value of the URL. For example, let’s suppose there’s an example URL that may be something like ‘http://example.com/category/photos_id=1’. In this parameter, we are authorized to see the data of ID ‘1’. But if we could change the value from 1 to 2 such as ‘http://example.com/category/photos_id=2’, and if we could see the data of this particular URL, in such case it can be considered as URL Tampering. 
  4. Cookie ID Manipulation: Generally, cookies are used to store and exchange data between the client and server. It helps in identifying specific users and provides a good browsing experience to the user. In such cases, if there’s an IDOR vulnerability then there might be a possibility to manipulate a cookie ID. For example, there’s a cookie id in a web application that may be something like this _gid=123456 which is for user a, and another cookie id is _gid=789012 which is for user b. So, if user A can change the value of _gid and replace the ID of user b and can see any information which belongs to user b then there’s an IDOR. 

How do IDOR Vulnerabilities Get Executed? 

Let us first discuss the back-end working of a Web application that uses the unauthenticated medium in SQL, which leads to accessing user account information.  

String query = "SELECT * FROM 
accts WHERE account = ?";
PreparedStatement pstmt = 
connection.prepareStatement(query, ... );
pstmt.setString(1,
 request.getParameter("acct"));
ResultSet results = 
pstmt.executeQuery( );

In the above code, the attacker will modify the “accts” parameter in the web application and can enter multiple account numbers to retrieve the information. 

Steps Involved in the Execution of the IDOR Attack

Burp Suite Tool is widely used by attackers to execute such types of Attacks. Following are the steps being followed:  

Now, let’s demonstrate IDOR with a practical scenario. 

 

 

 

 

Now if you could observe the highlighted text in the response tab, it’s leaking the passwords. Let’s log in to the website by using this password and see if we could access this user. 

 

Now here we get access to the user dashboard and here we have successfully changed the email address. So it confirms that there’s IDOR vulnerability exists. 

Impacts of IDOR Vulnerability

Remediation of IDOR Vulnerability 


Article Tags :