IDOR vulnerabilities are a common problem we see during web application penetration tests. Insecure direct object references (IDOR) are a type of access control vulnerability that occurs when a web application uses user-supplied input to access objects directly.
The OWASP Top 10 in 2013 listed IDOR as a security misconfiguration, sensitive data exposure, and as having missing function level access control. In the OWASP Top 10 in 2017 IDOR was consolidated to Broken Access Control.
IDOR Vulnerability Concepts
In the graphic above you can see that when the user “admin” logs in, they get access to an administrator dashboard with the following functions:
- Create Users
- Delete Users
- Reset Passwords
These are common functions you would expect to see in an administrator level dashboard for a web application.
To illustrate how IDOR vulnerabilities would affect this scenario, consider a normal user that logs into the same web application. When the normal user logs in they get access to a user level dashboard, but it doesn’t have the same functions as the administrator level dashboard.
If an IDOR vulnerability is present, they can force browse to the links for the administrator level function and get access.
That’s easy if they know the URLs for the admin level functions, but in cases when they don’t know the URLs, then they can enumerate URLs until they are able to find one.
IDOR Vulnerability Enumeration
Enumeration is a way of cycling through variables in an attempt to find a correct variable. For example using BurpSuite Intruder to enumerate URLs would look like this for the main URL of “domain.com”.
- domain.com/test.php
- domain.com/admin.php
- domain.com/user.php
- domain.com/access.php
- domain.com/root.php
Basically we use a word list in Intruder that contains common PHP file names that you see after the “/” in the URLs above. Intruder cycles quickly through all these and we can determine if they are actual URLs using the response codes:
- 200 is a real URL
- 400 is not a real URL
Why Test for IDOR Vulnerabilities?
During a penetration test we test for IDOR vulnerabilities to determine if we can get access to areas of web applications that we shouldn’t. As defensive security professionals, you should test your organization’s web application’s to ensure vulnerable application’s aren’t pushed to production.
Testing for IDOR Vulnerabilities Joe Sullivan is the Principal Security Strategist for Crossroads Information Security.
Joe is active in the Oklahoma City information security community as the chapter leader of the Oklahoma City Open Web Application Security Project (OWASP) and is a Cyber Patriot mentor, a GIAC Advisory Board member, and an InfraGard board member. Throughout his career, Joe has acquired numerous certifications including: GSTRT, GSLC, GPEN, GCIS, GCFE, CISSP, CNSSI 4012, CNSSI 4013, CNSSI 4014, NSTISSI 4011, NSTISSI 4015.
Joe also teaches MGT514: Security Strategic Planning, Policy, and Leadership for the SANS Institute.