IDOR Vulnerability - Simple But Significant

IDOR - Insecure direct object references vulnerability, What is this?

Application or website can have many variables such as "id", "pid", "uid" etc. Though these values are often regarded as parameters of HTTP, they can also be found in headers and cookies. By modifying the values the attacker may view, change or delete any of the data of other users without valid authorization. The vulnerability is known as IDOR.

Authentication ensures verifying an individual's identity and whether the user is authenticated (verified) and allowing the person to access specific requests.

Few examples showing the untrusted data that can be exploited by using IDOR:

• https://insafweb.in/profile/?id=564
• https://insafweb.in/profile/?id=4356
• https://insafweb.in/profile/edit/?id=4378
• https://insafweb.in/post/edit/?id=43

Now we can see that the user id is insecure in the URL and that may be tampered it to bypass authentication by an attacker. In the above URLs, the attacker will modify the "id" parameter in the web application and can enter multiple account numbers to retrieve/change the information. Burp Suite Tool is commonly used by attackers to execute this kind of attack. Let's look how to execute IDOR attack in Burpsuite.

1. Capture the Request: First of all, open a web page and capture the request on burpsuite or open a web form and submit and then capture the request.
2. Forward request to Repeater: Find the parameters that are vulnerable to the attack and forward the request to the repeater.
3. Tampering of Parameters and repeat the process: Now change the parameters and look at what happens. Boom!! Maybe you are lucky or continue your work. Because persistence is the key.

Impacts of IDOR Vulnerability

• Authentication Bypass.
• View and manipulation of Data.
• Exposure of Confidential Information.
• Account Takeover.

Remediation

Websites may be vulnerable to attacks if IDOR threat actors remain present in your web applications. Here are ways to avoid IDOR vulnerability:

• Avoid displaying private object references such as keys or static file names such as forms, profile pictures or other files.
• Validation and Verification of all the Referenced objects or parameters should be done correctly.
• Tokens can be used for disallow tampering of reference objects.
• Use an Indirect Reference Map - It replaces the actual references with alternate IDs that map to the original values.

Reference: https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/