Greeting Everyone!
Hope Everything going good Today In this blog we are going to discuss about IDOR (Insecure Direct Object Reference) How an attacker Exploit against this security Vulnerability As we are going to See Suitable example of It . Let’s Start…
What is IDOR Insecure direct object references (IDOR)?
Insecure direct object references is a type of attack which cause direct access control of any resources which we don’t have authorization to access as in Vulnerable application allow user-supplied input to access objects directly. An IDOR Attack Which Cause associated with horizontal privilege escalation.
And , According to OWASP says, IDOR occurs when a user supplied input is unvalidatedand direct access to the object requested is provided.
Impact Of IDOR Vulnerability?
Exposure of Confidential Information Authentication Bypass
Account Takeover/Privilege escalation
Example Scenario Of IDOR :-
Here, As we have Account as We logged in As User1 wiener
Now we are inside Account Dashboard Of wiener ,
As above picture we see As we logged in as wiener it shows User API Key, If we look Url its look like
https://ac611f691f0089df80c00865000c00f9.web-security-academy.net/my-account?id=wiener ,
Now assume we see id = parameter contain user name now, if we change username 1 to user 2 which You don’t have access.
Now here Here, user ID is used directly as a record index in queries that are performed on the back-end database. If no other controls are in place, an attacker can simply modify the id=
value, bypassing access controls to view the records of other customers.
as, https://ac611f691f0089df80c00865000c00f9.web-security-academy.net/my-account?id=another
user, eg: https://ac611f691f0089df80c00865000c00f9.web-security-academy.net/my-account?id=carlos
As above picture By modifying Value of ID we are able to access another users Private api as accessing user private dashboard without any authorization.
An attacker might be able to perform horizontal and vertical privilege escalation by altering the user to one with additional privileges while bypassing access controls. and able to access another user Private dashboard.
Conclusion: As we discussed How IDOR Vulnerability cause Impact If your web application did not validating user supply Input as we discuss about IDOR And way To exploitation. Hope You Learned Something New…..
For References As Lab : https://portswigger.net/web-security/access-control/idor
Thanks For Reading……. See You In Another Blog!
Stick With Our Blog : https://securiumsolutions.com/
Author:
Pallab Jyoti Borah
VAPT Analyst