• IDOR Vulnerabilities

  • IDOR vulnerabilities are a common problem we see during web application penetration tests. Insecure direct object references (IDOR) are a type of access control vulnerability that occurs when a web application uses user-supplied input to access objects directly.

    The OWASP Top 10 in 2013 listed IDOR as a security misconfiguration, sensitive data exposure, and as having missing function level access control. In the OWASP Top 10 in 2017 IDOR was consolidated to Broken Access Control.

    IDOR Vulnerability Concepts

    idor-example

    In the graphic above you can see that when the user “admin” logs in, they get access to an administrator dashboard with the following functions:

    • Create Users
    • Delete Users
    • Reset Passwords

    These are common functions you would expect to see in an administrator level dashboard for a web application.

    To illustrate how IDOR vulnerabilities would affect this scenario, consider a normal user that logs into the same web application. When the normal user logs in they get access to a user level dashboard, but it doesn’t have the same functions as the administrator level dashboard.

    If an IDOR vulnerability is present, they can force browse to the links for the administrator level function and get access.

    That’s easy if they know the URLs for the admin level functions, but in cases when they don’t know the URLs, then they can enumerate URLs until they are able to find one.

    IDOR Vulnerability Enumeration

    Enumeration is a way of cycling through variables in an attempt to find a correct variable. For example using BurpSuite Intruder to enumerate URLs would look like this for the main URL of “domain.com”.

    • domain.com/test.php
    • domain.com/admin.php
    • domain.com/user.php
    • domain.com/access.php
    • domain.com/root.php

    Basically we use a word list in Intruder that contains common PHP file names that you see after the “/” in the URLs above. Intruder cycles quickly through all these and we can determine if they are actual URLs using the response codes:

    • 200 is a real URL
    • 400 is not a real URL

    Why Test for IDOR Vulnerabilities?

    During a penetration test we test for IDOR vulnerabilities to determine if we can get access to areas of web applications that we shouldn’t. As defensive security professionals, you should test your organization’s web application’s to ensure vulnerable application’s aren’t pushed to production.

    Testing for IDOR Vulnerabilities