Skip to content

Insecure Direct Object Reference

Jump to bottom
Sam Sanoop edited this page Dec 27, 2020 · 3 revisions

Introduction

Insecure Direct Object Reference (IDOR) occurs when a application exposes a reference to an internal implementation object. By leveraging this behaviour, it is possible to reveal and understand the real identifier and format/pattern used of the element in the by application storage mechanism.This could be leveraged with other access control issues to to access data for other users of the application by enumerating the identifier.

Details (Vertical Access Control Issue)

After registering and logging in to the DVWS application frontend (http://dvws.local/), it is possible to access the notes area. The notes area allows a user to create a note. A note can be created here with specific states ['note', 'reminder', 'list', 'secret', 'public'], A note any state other than public should not be accessible by other users.

dvwsidor2

The API request/response which fetches the created notes data can be seen below:

GET /api/v2/notes/ HTTP/1.1
Host: dvws.local
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoic2FtcyIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNTkxNDQ3MjUwLCJleHAiOjE1OTE2MjAwNTAsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.XIyvc3PAqSlvmD3P7AQImaoMskrT0V3A7uyj1CKLaEw
Connection: close

HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: null
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: application/json; charset=utf-8
Content-Length: 475
ETag: W/"1db-hTWceRv/5yS5x4DtBZ1laEtMP3Q"
Date: Sat, 06 Jun 2020 12:56:14 GMT
Connection: close

[{"type":["secret"],"_id":0,"name":"privatenote","body":"hidden secret","user":"sams","Created_date":"2020-06-06T12:42:09.588Z"},{"type":["list"],"_id":1,"name":"test","body":"apple,orange,banana","user":"sams","Created_date":"2020-06-06T12:55:48.840Z"},{"type":["note"],"_id":2,"name":"test","body":"test","user":"sams","Created_date":"2020-06-06T12:55:58.519Z"},{"type":["list"],"_id":3,"name":"foo","body":"foobar","user":"sams","Created_date":"2020-06-06T12:56:12.724Z"}]

By studying the response, it is possible to understand that the _id parameter is a reference to an internal implementation object, and it is possible to request each note separately by following API logic. E.g. http://dvws.local/api/v2/notes/3.

As such, it is possible to read notes created by other users by enumeration through object IDs

dvwsidor3

Solutions

FAQ

Questions

Clone this wiki locally