Account Takeover Through IDOR
I am Gulprit Singh. First of all, this is my very first article and since English is not my mother tongue, I apologize if there are any grammatical mistakes. Today I wanted to share with you about IDOR leading to account takeover that I found in an organization. Before we get into the case, we will first look at IDOR description.
What is IDOR?
Refer to OWASP, “Insecure Direct Object Reference (called IDOR from here) occurs when an application exposes a reference to an internal implementation object. Using this way, it reveals the real identifier and format/pattern used of the element in the storage backend side. The most common example of it (although is not limited to this one) is a record identifier in a storage system (database, filesystem and so on)”.
I had an experience doing penetration testing of a financial application, let’s call it xxx application. My favorite technique while doing the test was using IDOR by simply modifying the parameter.
Firstly, we must have an account to explore each menu in the application to find the vulnerability. During the process, I found something interesting in the history menu which I could modify the ID parameter value to do username enumeration as shown in the picture below:
After getting someone’s username and its corresponding ID parameter value, I logged out from the application. Then I used the forgot password feature using my real account information to analyze the request and response.
Now what I found here was really interesting, I was able to change someone’s password by using the request that I used before to any account as shown in the picture below:
By tampering the id’s parameter, you can successfully change that related user’s password to be your existing encrypted password. Then we can sign into the xxx application with username that we got earlier and just type random password.
We must intercept the sign in request because we need to replace the random password with encrypted password that we got from the forgot password’s feature.
Once it is done, just forward the request and it will redirect to OTP authentication. There are several tricks to bypass OTP but at this point the OTP token is shown in otprequest’s response. So just look at it and input the token into the xxx application.
Finally, succeed to log in and get into the dashboard to do any transaction because in this case all the transaction verification is using OTP which is can be bypassed via otprequest’s response or modify response code.
This attack could happen because there is no validation in server-client side especially in newPassword request and it is the root cause of this account takeover.
Account takeover through IDOR is a basic technique for attacking and in my opinion it’s worth to try during penetration testing.
Thanks for reading :)