Exposing IDOR Vulnerabilities in the Digital Age

Hi! all security researchers,

It’s me Nirdesh Jung Rayamajhi an enthusiast in ethical hacking , discovering vulnerabilities and a beginner bug hunter.

I am here with my another findings, called as IDOR from where I was able to read all the other user personal information without the access and their consent.

Before I begin, Let me share with you guys about IDOR which it stands for Insecure Direct Object Reference.

IDOR

IDOR, which stands for Insecure Direct Object References, is a type of vulnerability that occurs when a website or application doesn’t properly control access to its data. It’s a common mistake that beginners, like myself, should be aware of when starting in the field of cyber security. IDOR vulnerabilities can allow attackers to bypass security measures and access sensitive information that they shouldn’t have access to. It’s important to understand and address these vulnerabilities to protect user data and maintain a secure environment. For more information you can visit to this https://www.varonis.com/blog/what-is-idor-insecure-direct-object-reference.

Okay let’s jump into the loophole.

PROBLEM.

Imagine a scenario where an attacker cunningly gains access to sensitive information by exploiting a vulnerability known as an insecure direct object reference (IDOR). This security loophole occurs when the attacker cleverly uses user-supplied input to sidestep authorization controls and directly access system resources that should be restricted. Surprisingly, even though IDOR is still a prominent threat in the world of cybersecurity, it falls under the category of Broken Access Control in the OWASP Top 10.

When i was going through the target I chose for testing it manually , I tried to manipulate the target’s functionality and its features.

After few hours of hit and trials testing the application I found an interesting request captured in my Burp History.

I wondered that the request captured was the POST request which was handling with user ID :****** and in the response it gave with the user personal information along with the user address , and cell-phone number.

After seeing the user ID I tried to replace with the random number. Guess what? It revealed the personal information of the other user which it shouldn't do.

Upon changing the user ID to random ID value it allowed me to read the other user personal information even though i am not logged in with other user credentials.

While this bug may be considered simple for experienced researchers, I am excited to publish my findings as part of my bug hunting journey. Remember, the goal is not to encourage hacking, but rather to promote a mindset of learning and growth.

Let’s embrace the motto: “Don’t learn to hack, #hack2learn.”

References

1. Access Control, https://portswigger.net/web-security/access-control
2. Testing for Insecure Direct Object References, https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References
3. IDOR Tutorials Hands-on OWASP Top 10 Training, https://thehackerish.com/idor-tutorial-hands-on-owasp-top-10-training/
4. How to find IDOR, https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/
5. IDOR, https://portswigger.net/web-security/access-control/idor
6. Web Hacking 101, Peter Yaworski, https://leanpub.com/web-hacking-101
7. AuthMatrix, https://github.com/SecurityInnovation/AuthMatrix
8. AutoChrome, https://github.com/nccgroup/autochrome
9. OWASP Cheat Sheet, https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html