Stories Of IDOR

Shivbihari Pandey
Sep 28 · 4 min read

Hello

Welcome Back ,

This is going to be Series ,where Iwill Share My Findings .

What Is IDOR:

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly.

in simple language , suppose there is 2 user account , U1 & U2,

and both have files in there accounts, but only account user can access it,means U1 can only access his account files not U2 Files.

one day U1 trying to view his file blahBlah.pdf , file url ,in browser look like :

https://whocare.com/file/23

Now Curious U1 try to change the last Number, try to see what happen, like

https://whocare.com/file/50

Now he able to view U2 file from his account.

Now questions is why:

Because Application provide Direct Access to Object based on user input and without validating the authenticity of object.

How to Find it

Well IDOR is present in application like XSS, it will very easy to find it, but it become easier after you understand the purpose/workflow of application you testing.

I am going to share some of my finding, which will clear your concept, how and where to find these issues.

Part 1: IDOR Can Able To view Other User Account Details

This is begin while i was Signing UP the User account , Request got intercepted by the Burp Proxy is look like something this:

whocare.com Domain make an Internal API call , for Sign-Up.

Request

Now if you see in request there is Parameter user_id , for testing purpose changed it to random values, and i got response as an error like : user is already existed , along with that it disclosed the User Information like : Name, Email, Address etc etc.

Response

Well i redacted some of the Personal information, because i got the Admin account details, Actually this was not come bup in one shot, for this i started to Brute force the user_id parameter Using Burp Suite Intruder, i got many users details, in which i found the Admin account detail too.

Part-2: IDOR : Can Unsubscribe Anyone User Email From Subscription list

In same website whocare.com [DummyName], there is option for subscribe for newsletter , for Email Notification for latest Updates.

In User Account Setting there is option for the Unsubscribe from Newsletter, when you submit the request, they will send an email to registered users,and URL look like this:

http://whocare.com/deleteNewsletter/dmljdGltZW1haWxAZ21haWwuY29t

If you see, it’s base64 Encoding ,

dGVzdGVybWFpbEBnbWFpbC5jb20= : testermail@gmail.com

Now we need Users Email In Order to Unsubscribe User From Newsletter, because they are not Validating this request.

Now From First issue we able to get the user information like Email, now you know if you want to unsubscribe all the users from website you just need email-address of the user, which you have. for attack ,intercept this url request, send it to Intruder and add all the emails of users and make an base64 encode before submitting, start attack . Period

So i was trying to chain the 2 small IDOR into Impactful Report.

Part-3: Open Mail Relay Identified: Can Send Spoof Email To Victim From Authentic Whocare.com Mail Server

this is another Vulnerability Exit in Same domain, in Feedback section

From where you can submit feedback to Team .

request for this look like:

Now if you See in the Request Section there is 2 Parameter we will use for attacking purpose:

ContactUs_Department_Txt= account where email to be send

ContactUs_Email_Txt= account from where email send

ContactUs_MessageBody_Txt= Message you like to send

now i can craft New Request and change parameters with like this:

ContactUs_Department_Txt=admin@whocare.com

ContactUs_Email_Txt=[Use All the Users List For Attacking purpose]

now all the user will get the email from admin account , which look legitimate, a perfect attack for phishing.

I have other Stories About IDOR, hopefully i will write about those in future.

Remediation:

A proper access control need to be implemented, means these requests should be validated before it proceeds, another thing is always

Use strong and random encryption instead of numbers. Like id=3 , instead of 3 ,use some random encryption.

For more information please visit

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

Timeline:

  1. Report Send
  2. Get Patched
  3. Bounty Awarded[Whocares 🤷‍♀️ except me]

That’s it for now, we will meet soon with our next Blog. Till then Goodbye.

If you Like this post, feel free to retweet.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Shivbihari Pandey

Written by

security researcher

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade