i Insecure direct object references (IDOR) – All things in moderation

Insecure direct object references (IDOR)

1. Vunerability Description

Insecure Direct Object References(IDOR) occur when an application provides direct access to object based on user-supplied input. As a resutl of this vulnerabilty attackers can bypass authorization and access resources in system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypasss authorization and access resources directly by modifying the value of a prarameter used to directly to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact theat the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

2.Type of IDOR

3.How to discover

The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider:

  1. For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested.
  2. If the reference is an indirect reference, the mapping to the direct reference must be limited to values authorized for the current user.

Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.

4.How to prevent
  • It is also often recommended to use something less obvious that is harder to enumerate as a reference. Eg., a random string instead of an incrementing integer. This can be a good idea for multiple reasons, but should absolutely not be trusted as the only prevention against such an attack.
  • Using an indirect object references map:
    An indirect reference map is simply is simply a substitution of the internal reference with an alternate ID which can be safely exposed externally. Firstly, a map is created on the server between the actual key and the substitution. Next, the key is translated to its substitution before being exposed to the UI. Finally, after the substituted key is returned to the server, it’s translated back to the original before the data is retrieved.
5.Example attack

The application uses unverified data in a SQL call that is accessing account information:

String query = "SELECT * FROM accts WHERE account = ?";
PreparedStatement pstmt = connection.prepareStatement(query , ... );
pstmt.setString( 1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery();

The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.

  • RailsGoat
    • Vunerable code:

class WorkInfoController < ApplicationController def index @user = User.find_by_user_id(params[:user_id]) if !(@user) flash[:error] = "Sorry, no user with that user id exists" redirect_to home_dashboard_index_path end end end

Instead of using the current_user object which, takes the user ID value from the user’s session and is normally resilient against tampering, the user ID is pulled from the request parameter (user id in the RESTful URL). Additionally, even in the session, User IDs should be sufficiently random and the sessions stored in a persistent manner (ActiveRcord) versus using the Base64 encoded / HMAC validation session schema.
– Fist, I’m sign in with Jim’s account :
and view work infor :
I’m trying modify users id in url and I receive info about another account:

Through modify id in url , I can see all information another account. :)))))

  • Let’s try find this error in real website :
    Target site : hdonline.vn

    • Situation 1 : I don’t have account . I’m view source of site and see field userid:

– Situation 2: I creat an account . And view source of site again :
Yeah , I see javascript code , and I try enter url in my browser :
Try another userid:

Oh , I can see all user’s filml_id seen with not authorization.
With simple scipt , I can enumerate all user’s film_id.

This error in site not risk for system , but It leak sensitive information can useful to help attack by another way .


Interesting public bug bounty-reports:

Leave a Reply