An Insecure Direct Object Reference, or IDOR, is a relatively easy-to-spot vulnerability that can grant us access to things we shouldn’t have access to.
Let’s see how we can find and use them in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What I have learnt today? |
| Stats |
| Resources |
Introduction to IDOR
What is an IDOR?
IDOR, or Insecure Direct Object Reference, is a type of access control vulnerability: This occurs when a web server allows the user to input objects (Files, data, etc…) but it is not validated (checked) by the web server, allowing the user to introduce malicious and dangerous data.
For example, imagine you are checking your profile on a website, and the link is www.samplewebsite.com/profile?id=1005, where you can see all your information.
At the end of the URL, you can see the ID argument having a value of 1005: Your ID. But what if you change that 1005 to 1000? or 548?
If you could see another user’s information, that would be an IDOR vulnerability, as the server is not checking if that’s your user.
Finding IDORs in encoded IDs
Aware of this vulnerability, sometimes web developers try to be a bit cheeky and encode their IDs: Instead of showing id=3895, the data would be something like eY53Adnb93gIsa. That is data encoded, using base32 or base64, but still easy to spot.
As you know, because you read my yesterday’s post on Authentication Bypass, you can Decode and Encode easily with websites like https://www.base64decode.org/ and https://www.base64encode.org/.
The data is encoded to make it harder to spot, but we can easily decode that text, manipulate it, then encode it again. Let’s see a graphical example of this process:
Finding IDORs in Hashed IDs
Aware of this technique, wise web developers turned to instead of encoding the data, hashing it. Of course, you already knew all about hashing as I already explained it 🙂
Hashed IDs, while being a bit more complicated to deal with due to the nature that encoded IDs still follow a predictable pattern. For example, Hello in MD5 hash is 8b1a9953c4611296a827abf8c47804d7 and f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0 SHA1 hash.
Hashed data cannot be ‘un-hashed’ back, but there are lists with billions of ‘hash-to-value’ results that we can use to check the value of a hash. https://crackstation.net/ is a popular choice to do so.
Finding IDORs in unpredictable IDs
If using the above methods (Finding IDORs in encoded and hashed IDs) doesn’t work, we can use a great method of IDOR detection. We can create two accounts on the same website, and swap the ID numbers between them. If with the A account we can have access to B account (or even without login in!), we have found an IDOR vulnerability in the system.
Where are IDORs located?
Not all the vulnerabilities are as easy to spot as just looking at the address bar.
Sometimes, data is loaded via AJAX request or something we can find if we go deep into a JavaScript file. Sometimes, endpoints could have an unreferenced parameter that has been of some use during development and pushed to production.
For example, you may see in the developer tools that it calls to /user/details, but if we look closely, we may discover a parameter called user_id that we can use to display other users’ information, for example, /user/details?user_id=324.
Summary
We have learnt that an IDOR stands for Insecure Direct Object Reference, a process where we can access the information we shouldn’t have access to.
Sometimes an URL has something like ?id=589 and, by changing the ID number, we can access data other than ours.
But sometimes that string of data is hidden, either by being encoded or hashed: It doesn’t matter, as we can decode it back or search in databases for the value of that hash.
Or sometimes it makes requests to the webserver that we can find if we check the Network section.
Stats
From 170.981th to 167.982th. Now I am in the top 8% in TryHackMe!
Here is also the Skill Matrix:
Resources
Path: Web Fundamentals
Introduction to Web Hacking
Other resources
Authentication Bypass
https://www.base64decode.org/
https://www.base64encode.org/
https://crackstation.net/
Video: IDOR in 100 seconds
Video: IDOR attack
