Open in app

Sign up

Sign in

Write

Sign up

Sign in

Testing and Bypassing Technique for IDOR

Insecure Direct Object reference

Vignesh
InfoSec Write-ups

--

Hey Guys welcome to the blog today we are going to discuss one of the easiest vulnerabilities to understand which is IDOR and It has a high/critical impact on bug bounty So in this article we going to discuss Testing for IDOR and some bypassing techniques for IDOR finale we end up with portswigger lab

What is IDOR?

IDOR is nothing but insecure direct object reference it is one of the access control vulnerabilities

This happens when they give direct access to the resource which the users cannot able to access that resource without any validation

When an application fails to properly validate and authorize user access to specific objects or resources, it creates an opportunity for unauthorized users to manipulate or access sensitive information. This can happen when the application relies on insecure or easily guessable object identifiers, allowing attackers to bypass the intended access restrictions. IDOR vulnerabilities highlight the importance of robust access controls and thorough validation to protect against unauthorized access and maintain data privacy and integrity.

Two Types of IDOR

  1. Read-Based IDOR: Using this you can able to read that information not able to alter that data
  2. Write-Based IDOR: Using this you can able to read and write that information and it is a critical vulnerability

Testing for IDOR

Before going to testing keep in mind IDOR is not only on the profile page where every ID or sensitive data are there possible places

And first don’t test it keep notes where every area is possible which will avoid demotivation (Recon the endpoints)

  1. Create Two accounts on the same targets ( If you see some different privileges like group admin, users means to create multiple accounts, and if it is not possible ask the company to give the multiple accounts for testing )
  2. Now choose one is the Vitcim account and One is Attacker Account
  3. Check for functionality where the user can delete, create or change the password
  4. Check for any guessable ID in a private message or any other functionality
  5. Capture the request and analysis in the burpsuite
  6. API like REST ( Representation state transfer ) and GraphQL is most vulnerable to IDOR
  7. Change the ID if it returns any other resource it is vulnerable to IDOR
  8. Sometimes we need to change the HTTP Method POST to GET and POST to DELETE

Note: Pay Attention to the premium function because most of the testers and hackers won’t go for there due to some laziness or not paid

So Now Let’s move to Portswigger Lab

Lab: Insecure direct object references

This lab stores user chat logs directly on the server’s file system and retrieves them using static URLs. Solve the lab by finding the password for the user carlos, and logging into their account.

In this Lab, there is Live chat functionality using this we need to get Carlos password to solve the lab

So first go for Live chat functionality

Here you can able to see the view transcript button using this you can able to download that transcript but it sends the transcript from the 2.txt, 3.txt, and 4.txt

In this case, you cannot able to get the 1.txt so think that the password is stored in the 1.txt

So Let’s get the 1.txt using the GET HTTP Method

First, capture the request

And change the method to the GET method as I said in STEP 8 ( in testing )

Add the /download-transcript/1.txt to view the file

Boooooooooommmm!!! Now you will get the password

So login with username and password

The Lab gets solved

From Lab Summary:

So Now you get a good idea about IDOR and important point check at every place the POST Method (sensitive place)

Nowadays IDOR became easy so everyone will find get patched it is hard to get the IDOR with a complex numeric ID so don’t worry there is a bypass technique to Bypass this protection

The strength of a system lies not only in its features but also in its ability to protect against Insecure Direct Object Reference vulnerabilities.

Leaked ID in Profile/Private Message

You can able to find the leaked ID in a private message or at the anywhere public profile

Using that ID we can able to retrieve the information

And you can be able to find this at Waybackurls sometimes

GET /messages?conversation_id=849849899938664746276776762767462474274

GET /messages?user_id=2763

Blind IDOR

Blind IDOR happens at the monthly bill details or the endpoints do not respond to the leaked information directly and immediately

A subscription-based system like month receiving the details via email on that request changing ID send a request via you Mail can lead to the IDOR

Changing the Request Method

Changing the request method to GET, POST, PUT, DELETE, and PATCH because the developer implements the access control for GET and POST but failed to implement it for PUT, DELETE, and PATCH

Change the GET to DELETE

DELETE example.com/uploads/user1236-01.jpeg

Change the POST To GET

GET /get_receipt?receipt_id=2983

Sometimes you can use the PUT to create Sometimes on another account

Chaining the bug with other

You can able to chain that bug with self xss and RCE (Remote code execution)

Automate of IDOR

https://github.com/Quitten/Autorize/

https://github.com/nccgroup/AutoRepeater

/https://github.com/SecurityInnovation/AuthMatrix/

I hope you will understand this if you feel this a helpful please give applause to this article and follow up on my profile for more updates

Donate to Me: https://buymeacoffee.com/0xevilox

Idor
Bug Bounty
Hacker
Bug Bounty Tips
Idor Vulnerability

--

--

Vignesh
InfoSec Write-ups
Follow

Written by Vignesh

109 Followers
Writer for

Hi, I'm Vignesh just call me Vicky. I'm a cybersecurity Researcher who was more interested in this cybersecurity field basically I'm a Offsec Student.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams