Refence: OWASP Report
When we visit a website, web applications obtains us to access the content through objects. These objects describe the conditions for accessing database, files and directories. Attackers can imitate or manipulate object values owned by another user. Thus, the identity information on the application is obtained. In addition, since the IDOR vulnerability will make it possible to bypass the authentication, it will also make it possible to log into a more authorized account. The attacker, who gains access to the authorized account, can also activate other types of vulnerabilities detected in the system, causing a chain of vulnerabilities.
IDOR (Insecure direct object references) is one of access control vulnerability which dependent on authentication and session management in the context of web applications. This critical vulnerability provides particularly horizontal privilege escalation to an attacker. It ranked 4th in the Top 10 most common vulnerabilities list by OWASP in 2013. In the statement in 2017, it was replaced by Broken Access Control and is a security vulnerability that is frequently tested within the scope of penetration testing studies. As an impact, it causes the disclosure for unauthorized info and data modification or destruction.
For instance: https://vuln-example.com/change_passe.php?account=450 In this URL, it is seen some metrics while a user change the pass. If the attacker recognize this url, the metric value “450” can be changed so that s/he can access the requests from other accounts too. The index in the query is recorded on the back-end database, and can easily modified by attacker if there is no control.
Now, I will walk through the PortSwigger Lab for a short sample, happens at live chat with customer service. https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references
This is my conversation with customer service, I’ve download the transcript of our conversation when session has ended.
This is the captured GET request, and a sequence for downloadable files has been paid an attention.
Right after, we can try other numbers for downloadable txt file under the Repeater tab of BurpSuite to see the contents of another conversation between someone and customer service.
Then, we can go further using Sniper attack under Payload tab on txt file number in order to gain more creds/info instead of trying one by one.
How to prevent..
Lifetime of each reference may have only for one user or session.
Access permissions can be checked before using references from untrusted sources.
Instead of regular numbers/strings, hash function or hashed values canbe used.
Thanks for Reading...
https://medium.com/@hamidullahbayram/idor-broken-access-control-with-burpsuite-7b20f24282f6
Comments