Hi, happy to be back with a new topic related to web exploitation, IDOR. IDOR is a type of access control vulnerability. Without any delay let’s get into the topic.

IDOR stands for Insecure Direct Object Reference

As already said, it is a type of access control vulnerability. An access control vulnerability is when an attacker can gain access to information or actions that are not intended for them. An IDOR vulnerability can occur when user-supplied input is received by the web server to retrieve objects. The objects here refers to files, data, documents, etc. As too much trust has been placed on that input data, the web application does not validate whether the user can be given access to requested object or not.

As previously mentioned, an IDOR vulnerability relies on changing user-supplied data. This user-supplied data can be found mainly in the following three places:

• Query components
• Post variables
• Cookies

Query components:

Query component data is passed in the URL when making a request in a website. Take a look at the following screenshot of an URL:

The URL can be breakdown into:

Protocol: https://

Domain: website.thm

Page: /profile

Query component: id=23

Here we can se that /profile page is being requested and the parameter id of value 23 is being passed in the query component. This page could potentially be showing us personal user information. If we change the id parameter to some other value, then we could view other users data.

Post variables:

Sometimes examining the contents of forms on a website can reveal fields that could be vulnerable to IDOR exploitation. For example, take the following HTML code for a form that updates a user’s password.

<form method=”POST” action=”/update-password”>
<input type=”hidden” name”user_id” value=”abc">
<div>New Password:</div>
<div><input type=”password” name=”new_password”></div>
<div><input type=”submit” value=”Change Password”>
</form>

You can see in the <input> tag that the user’s id is being passed to the webserver in a hidden field. By changing the value parameter to another user_id may result in changing the password for another user’s account.

Cookies:

Cookies are used to remember your session to stay logged into a website. Usually, this sends the session is which is a long string of random text which is hard to guess such as 8dghlsjh9k4dfkmzakfi3hr0k3n, which the webserver securely uses to retrieve your user information and validate your session. Sometimes, less experienced developers may store user information in the cookie itself, such as user’s id. Hence, by changing the value of this cookie could result in displaying another user’s information. You may refer the below example of how they might look.

GET /user-information HTTP/1.1
Host: website.thm
Cookie: user_id=9
User-Agent: Mozilla/5.0 (Ubuntu;Linux) Firefox/94.0

Hello Jon!

GET /user-information HTTP/1.1
Host: website.thm
Cookie: user_id=5
User-Agent: Mozilla/5.0 (Ubuntu;Linux) Firefox/94.0

Hello Martin!

Happy hacking :)

Reference:
Advent of cyber 3 room in THM