Broken Access Control & IDORS
Last updated
Was this helpful?
Last updated
Was this helpful?
IDORs happen when users can access resources that do not belong to them by directly referencing the object ID, object number, or filename. ==Remember that you can trigger IDORs from different locations within a request, like URL parameters, form fields, filepaths, headers, and cookies==
The App should check the user’s identity and permissions before granting access to a resource. ( a MUST )
The website can use a unique, unpredictable key or a hashed identifier to reference each user’s resources.
You can find a pretty good one here
IDORs aren’t always as simple as switching out a numeric ID, the way they reference resources also often becomes more complex
Don’t ignore encoded and hashed IDs likely to be (base64url, base64, URL)
Use the Smart Decode tool in Burp’s decoder
If the application is using a hashed or randomized ID
See if the ID is predictable
try creating a few accounts to analyze how these IDs are created.
You might be able to find a pattern that will allow you to predict IDs belonging to other users.
If no IDs exist in the generated request, try adding one to the request
Append id, user_id, message_id, or other object references to the URL query, or the POST body parameters GET /api_v1/messages => GET /api_v1/messages?user_id=ANOTHER_USERS_ID
Try Parameter Pollution
sometimes endpoints susceptible to IDOR don’t respond with the leaked information directly. For example, imagine that this endpoint on example.com allows users to email themselves a copy of a receipt:
this will send the receipt with id= 3001 info to the Email of the current user, if we tried a receipt belongs to another user like 2983
Applications often enable multiple request methods on the same endpoint but fail to implement the same access control for each method: GET example.com/uploads/user1236-01.jpeg-> DELETE example.com/uploads/user1236-01.jpeg
Applications might be flexible about how the user can identify information GET /get_receipt?receipt_id=2983 -> GET /get_receipt?receipt_id=2983.json
The impact of an IDOR depends on the affected function
Read-based IDORs -> look for sensitive information in the application (direct messages, personal information, and private content)
Write-based IDORs-> (password reset, password change, and account recovery features, email subscription settings)
Write-based IDOR can be combined with self-XSS to form a stored XSS.
An IDOR on a password reset endpoint combined with username enumeration can lead to a mass account takeover.
Write IDOR on an admin account may even lead to RCE!
A very Good reference you can find here-> https://www.tevora.com/threat-blog/finding-broken-access-controls/
Create two accounts for each application role and designate one as the attacker account and the other as the victim account
Pay attention to features that return sensitive information or modify user-data
Revisit the features you discovered in step 2. With a proxy, intercept your browser traffic while you browse through the sensitive functionalities.
With a proxy, intercept each sensitive request and switch out the IDs that you see in the requests. If switching out IDs grants you access to other users’ information or lets you change their data, you might have found an IDOR.
try a protection-bypass technique
Monitor for information leaks in export files, email, and text alerts. An IDOR now might lead to an info leak in the future.
Draft your first IDOR report
Burp intruder to iterate through IDs to find valid ones, The Burp extension scans for authorization issues by accessing higher-privileged accounts with lower-privileged accounts, whereas the Burp extensions and allow you to automate the process of switching out cookies, headers, and parameters.