IDOR

Insecure Direct Object References (IDOR) arise from weak access controls in the back end, allowing attackers to access or modify unauthorized data. While exposing internal object references isn't inherently a vulnerability, the lack of proper access control makes IDOR dangerous.

IDOR TYPES

  • IDOR information disclosure: this is where attackers access private user data such as personal files and credit card info. this IDOR can lead to account takeover

  • IDOR insecure function calls: this is where attackers elevate privileges to gain admin access. this IDOR leads to full system compromise

#simple IDOR test
root@oco:~$ BROWSER > {targetSite:port}/download.php?file_id={123}
 * If the web application does not have a proper access control system on the back-end,
   an attacker could manipulate the file_id parameter value to view or modify other user's data.
    - this could lead to a compromise of confidentiality

MITIGATION

  • build an object-level access control system

    • map the RBAC to all objects and resources and assign each user a role that has certain privileges

match /api/profile/{userId} {
    allow read, write: if user.isAuth == true
    && (user.uid == userId || user.roles == 'admin');
}

 * the user token is mapped to the RBAC. it only allows read/write access if the
   user's uid in the RBAC system matches the uid in the API endpoint they are 
   requesting
    - additionally, in this code snippet the user privileges are not passed through 
      the HTTP request, but mapped directly from the RBAC on the back-end using the 
      user's logged-in session token as an authentication mechanism.

  • use secure references for objects when storing and calling them.

    • never use object references in clear text or simple patterns (e.g., uid=1). always use strong and unique references, like salted hashes or UUID's. lastly, never calculate hashes on the front-end

$uid = intval($_REQUEST['uid']);
$query = "SELECT url FROM documents where uid=" . $uid;
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_array($result));
echo "<a href='" . $row['url'] . "' target='_blank'></a>";
PreviousWPA/WPA2 CRACKINGNextIDENTIFICATION

Last updated