IDOR

Insecure Direct Object References (IDOR) vulnerabilities are among the most critical security risks in modern applications. Exploiting an IDOR allows attackers to access or modify unauthorized data, often leading to severe security breaches. Finding IDORs requires a combination of manual testing, automation, and an understanding of common patterns in application logic. In this guide, we will dive deep into advanced techniques to uncover more IDOR vulnerabilities in web applications.

Understanding IDOR Vulnerabilities

IDOR occurs when an application fails to enforce proper authorization mechanisms for accessing objects, such as user profiles, invoices, or database entries. Attackers can manipulate object identifiers in API requests, URLs, or form fields to gain unauthorized access to data belonging to other users.

For example, if a user profile is accessed via:

GET /user/profile?id=1234

An attacker might change the id parameter to another value (id=5678) and view someone else's profile if no proper authorization check is in place.

Tips that I use to find more IDORs:

Prime Parameters to Probe

While hunting for Insecure Direct Object References (IDORs), certain parameters frequently emerge as high-value targets. Keep an astute eye on these variables:

id=
uid=
gid=
user=
account=
number=
order=
no=
doc=
file=
key=
email=
group=
profile=
edit=
report=

UUID Exploitation Techniques

Universally Unique Identifiers (UUIDs) are often perceived as impervious due to their non-predictability. However, misconfigurations can render them vulnerable. Here’s how to scrutinize them effectively:

1. Leak Hunting: UUIDs may inadvertently surface in logs, error messages, or embedded within page sources.

2. Predictability Assessment: Developers may inadvertently employ pseudo-random UUID generation, reducing entropy. Verify their randomness.

3. Simplification Attack: Swap a UUID with rudimentary numeric patterns or a default placeholder like 00000000-0000-0000-0000-000000000000. Oversights in access control may lead to unauthorized access.

4. Historical Data Mining: Utilize archival repositories such as the Wayback Machine or Common Crawl to uncover past UUID exposures.

Parameter Pollution Tactics

Consider an API endpoint structured as follows:

/api/messages?user_id=<USER_ID>

If an initial IDOR attempt on user_id proves unfruitful, employ parameter duplication:

/api/messages?user_id=<USER_ID>&user_id=<ALTERNATE_ID>

Additionally, when the application handles arrays, exploit list-based submissions:

/api/messages?user_ids[]=<USER_ID>&user_ids[]=<ALTERNATE_ID>

Testing with Alternative HTTP Methods

Evaluate the entire spectrum of HTTP request methods. Some applications enforce authorization only on specific methods while neglecting others:

GET
POST
PUT
PATCH
DELETE

Hashing and Encoding Reversals

Examine encoded URL parameters:

?filename=ZmlsZV8xMjMucGRm

Decipher the encoded string (often Base64) and manipulate it:

Original -> ZmlsZV8xMjMucGRm
Base64 Decode -> file_123.pdf
Alter -> file_999.pdf
Re-encode -> ZmlsZV8xOTkucGRm

Some applications may employ alternative hashing or encoding mechanisms. Leverage tools such as CyberChef or hashes.com to decode and manipulate values.

Fuzzing to Uncover Hidden Entry Points

A well-orchestrated fuzzing campaign can unearth neglected or misconfigured API endpoints.

For instance, consider:

/api/v1/messages/view

Two potential fuzzing points emerge:

/api/$FUZZ1$/messages/view$FUZZ2$

Crafting IDs Where None Exist

Endpoints may function without overt ID parameters. In such cases:

1. Append plausible identifiers manually to test for backend assumptions.

2. Replace generic placeholders (e.g., self or user) with explicit user IDs to assess unauthorized access possibilities.

IDOR and XSS Chaining for Maximum Impact

When IDOR vulnerabilities coexist with self-XSS, they can be weaponized into stored XSS that targets unsuspecting users.

Consider an API that permits folder creation:

/api/createFolder?user_id=123&folder_name=<malicious_payload>

If folder_name allows script execution and user_id is vulnerable to IDOR, an adversary can implant malicious JavaScript into another user’s workspace, leading to an escalated impact.

Best Techniques to Find More IDORs

1. Targeting API Endpoints and Web Requests

APIs often expose IDOR vulnerabilities due to poor access control. Follow these steps:

• Use Burp Suite, ZAP, or Postman to intercept API requests.

• Modify the object identifiers (user_id, invoice_id, account_id) and check if unauthorized data is accessible.

• Test different HTTP methods (GET, POST, PUT, DELETE) to assess IDOR impact beyond just reading data.

2. Automating IDOR Discovery with Burp Suite and Custom Scripts

• Burp Suite Extensions: Tools like Autorize and Auth Analyzer help automate the detection of IDOR vulnerabilities by replaying requests with unauthorized accounts.

• Custom Python Scripts: Use requests in Python to automate IDOR fuzzing by cycling through object IDs.

Example Python script for IDOR fuzzing:

import requests
url = "https://target.com/api/user/profile?id="
for i in range(1000, 1100):
    response = requests.get(url + str(i), cookies={'session': 'valid_session_cookie'})
    if "unauthorized" not in response.text:
        print(f"Potential IDOR found: {url}{i}")

3. Identifying Numeric and UUID-Based IDORs

• Applications use different identifier formats:

• Sequential numeric IDs (1234, 1235, 1236, etc.) are easy to exploit.

• UUIDs (e.g., 550e8400-e29b-41d4-a716–446655440000) require guesswork but may still be vulnerable.

• Look for patterns in API responses, JavaScript files, and database structures.

4. Reviewing Client-Side JavaScript for Clues

• JavaScript often contains hardcoded API endpoints and object IDs.

• Use DevTools > Sources or fetch JavaScript files with:

wget -r --no-parent -A .js https://target.com

• Search for API calls that include user IDs or resource IDs.

5. Exploring Multi-Tenant and Role-Based Access Scenarios

• Test regular user accounts vs. admin accounts.

• If an application has multi-tenant architecture, check if data from one tenant is accessible to another.

• Use low-privilege accounts to test access to privileged endpoints.

6. HTTP Parameter Pollution and Hidden Parameters

• Some applications use multiple parameters for object identification.

GET /profile?id=1234&id=5678

• If the backend processes only the second id, an attacker can manipulate it.

• Try adding additional parameters to override security checks.

7. Bypassing Access Controls via Method Manipulation

• Some APIs enforce security only on GET requests but not POST or PUT.

• Change request methods in Burp Repeater to check if unauthorized data modifications are possible.

8. Testing for IDOR in File and Document Access

• Some applications store files with predictable names:

https://target.com/uploads/invoices/1234.pdf

• Try accessing sequential files:

https://target.com/uploads/invoices/1235.pdf

• Check if API file downloads require authentication.

9. Manipulating GraphQL Queries for IDOR Testing

• GraphQL APIs often expose IDOR due to overly permissive query structures.

• Test queries with:

{   "query": "{ user(id: 5678) { email, role } }" }

• See if the API returns unauthorized user data.

10. Hunting IDOR in Mobile Applications

• Decompile APKs using jadx-gui to analyze API endpoints.

• Use MITM proxies like Burp Suite to intercept API calls.

• Modify request payloads and identifiers to check for unauthorized access.