Understanding IDOR: A Key Vulnerability in Web Security

What is an IDOR?

IDOR stands for Insecure Direct Object Reference. It is a type of access control vulnerability that occurs when a web server receives user-supplied input to retrieve objects (files, data, documents), and this input is not validated on the server side to confirm the requested object belongs to the user making the request. This vulnerability can lead to unauthorised access to sensitive information.

A Simple Scenario

Imagine you've just signed up for an online service and you want to change your profile information. The link you click on is herehttps://online-service.thm/profile?user_id=1305, and you can see your information. Out of curiosity, you try changing the user_id value to 1000 (https://online-service.thm/profile?user_id=1000), and to your surprise, you can now see another user's information. You've discovered an IDOR vulnerability! Ideally, there should be a check on the website to confirm that the user information belongs to the user making the request.

Identifying IDOR Vulnerabilities

1. Encoded IDs: When passing data from page to page (which could be done by post data, query strings, or cookies), web developers will often first take the raw data and encode it.The reason behind encoding is that the receiving web server will be able to understand the contents.Enconding changes binary data to an ASCII string by using the a-z A-Z 0-9 and = padding.The most common encoding is base64 encoding. There are websites that you can use to decode the string. After decoding, you can edit the data and re-encode it.? https://www.base64decode.org/
2. Hashed IDs: It's a little trickier to work with hashed IDs than encoded ones, but they may follow a pattern, like being the hashed version of the numeric value. If MD5 hashing were used, the ID number 123 would be changed to 202cb962ac59075b964b07152d234b70.
3. Unpredictable IDs: If the ID cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the ID numbers between them. If you can view the other users' content using their ID number while still being logged in with a different account (or not logged in at all), you've found a valid?IDOR?vulnerability.

Locating IDORs

IDOR vulnerabilities may not always be visible in the URL. They can be hidden in AJAX requests or referenced in JavaScript files. During development, endpoints with parameters like /user/details?user_id=123 might be left in production, allowing unauthorised data access.

A Practical Example

Consider an online service where, after logging in, you can change your username, email address, and password. The username and email fields are pre-filled with your information. To investigate how this information gets pre-filled:

1. Open your browser developer tools and select the network tab.
2. Refresh the page and observe a call to an endpoint like /api/v1/customer?id={user_id}.
3. By modifying the user_id parameter, you can access information for other users.

After signing up for the account, when you go to the dashboard and account details, you can see that your information is already there. The?Your Account?section gives you the ability to change your information, such as your username, email address, and password. You'll notice the username and email fields pre-filled in with your information.?

We'll start by investigating how this information gets pre-filled. If you open your browser developer tools, select the network tab, and then refresh the page, you'll see a call to an endpoint with the path /api/v1/customer?id={user_id}.

So if you double-click on it, it will open in a new page

So if you change the ID number, then you can see the details of user ID.

For example, user ID 1

Final Thoughts

Understanding and identifying IDOR vulnerabilities is crucial for web security. By knowing how these vulnerabilities occur and how to detect them, you can better protect sensitive information and ensure robust access control mechanisms are in place. Happy testing, and stay secure!

copyright: TryHackMe