Web Fundamentals | IDOR

Enes Cayvarlı
7 min readMar 17, 2023

--

Hi there, I’m glad to see you here. In this article, we’ll examine together the “IDOR” rooms in TryHackMe and PortSwigger. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!

IDOR

Contents:

  • What is an IDOR?
  • An IDOR Example
  • Finding IDORs in Encoded IDs
  • Finding IDORs in Hashed IDs
  • Finding IDORs in Unpredictable IDs
  • Where are IDORs located?
  • A Practical IDOR Example
  • PortSwigger Lab Environment

What is an IDOR?

The Insecure Direct Object References (also known as IDOR) vulnerability exists due to insufficient access control to data objects in web applications that serve data based on user input. IDOR makes it possible for potential attackers to bypass authorization and directly access database records or files that they are not meant to see.

IDOR

Answer the questions below
Q1: What does IDOR stand for?
📣A1: Insecure Direct Object Reference

An IDOR Example

When we examine the emails, we can see that we received an email from the “orders@onlinestore.thm” e-mail address with a link where we can view the order information. ✉️

Order Confirmation
Invoice

Now we can view the order confirmation, which contains the order details.

Order : 1234

Let’s try changing the URL to view order number 1000. 👈🏼

Order : 1000

When we changed the order ID from 1234 to 1000, we displayed another user’s invoice. In this way we verified an IDOR vulnerability on the website.

Answer the questions below
Q1: What is the Flag from the IDOR example website?
📣A1: ***{***************}

Finding IDORs in Encoded IDs

When passing data from page to page either by post data, query strings, or cookies, web developers will often first take the raw data and encode it. Encoding ensures that the receiving web server will be able to understand the contents. Encoding changes binary data into an ASCII string commonly using the a-z, A-Z, 0–9 and = character for padding. The most common encoding technique on the web is base64 encoding and can usually be pretty easy to spot.

https://www.base64decode.org 👉🏼 Base64 Decoding

https://www.base64encode.org 👉🏼 Base64 Encoding

Encoding & Decoding

Answer the questions below
Q1: What is a common type of encoding used by websites?
📣A1: base64

Finding IDORs in Hashed IDs

Hashed IDs are a little bit more complicated to deal with than encoded ones, but they may follow a predictable pattern, such as being the hashed version of the integer value. For example, the ID number 150 would become 7ef605fc8dba5425d6965fbd4c8fbe1f if MD5 hashing were in use.

It’s worthwhile putting any discovered hashes through a web service such as https://crackstation.net (which has a database of billions of hash to value results) to see if we can find any matches.

Answer the questions below
Q1: What is a common algorithm used for hashing IDs?
📣A1: md5

Finding IDORs in Unpredictable IDs

A good way to test for IDOR is to first have 2 or more users who have access to different objects on the same website. Both users have to be logged in first. Then one user needs to modify the value of the parameter used to reference objects to be the same as the other user’s. If he is able to retrieve the object that only the other user should see then IDOR is present.

Answer the questions below
Q1: What is the minimum number of accounts you need to create to check for IDORs between accounts?
📣A1: 2

Where are IDORs located?

The vulnerable endpoint you’re targeting may not always be something you see in the address bar. It could be content your browser loads in via an AJAX request or something that you find referenced in a JavaScript file.

Sometimes endpoints could have an unreferenced parameter that may have been of some use during development and got pushed to production. For example, you may notice a call to /user/details displaying your user information (authenticated through your session). But through an attack known as parameter mining, you discover a parameter called user_id that you can use to display other users’ information, for example, /user/details?user_id=123.

A Practical IDOR Example

Firstly, we’ll need to log in. To do this, let’s click on the “Customers” section and create an account.

Customers
Signup

You can enter the “Username”, “Email Address” and “Password” information requested from us as you wish.

Signup

Once logged in, let’s click on the “Your Account” tab.

Your Account

We can start by investigating how this information gets pre-filled.

When we open the browser developer tools, let’s select the “Network” tab and then refresh the page. You’ll see a call to an endpoint with the path “/api/v1/customer?id={user_id}”.

❗️To open the developer tools in Mozilla Firefox:

  1. Open the browser.
  2. Press F12 on the keyboard.
  3. Or click “Menu > Web Development > Inspector”.
Network Tab

This page returns in JSON (JavaScript Object Notation) format the user id, username and email address. We can see from the path that the user information shown is taken from the query string’s id parameter.

Response

We know that the user we created has the ID number 15.

So, if we change the ID number, can we view the information of other users? Let’s try!

Answer the questions below
Q1: What is the username for user id 1?
📣A1: adam84

When we changed the ID number from 15 to 1, Adam’s username and e-mail address are visible to us.

id : 1
Username

Q2: What is the email address for user id 3?
📣A2: j@fakemail.thm

When we changed the ID number from 15 to 3, we can view John’s username and email address information.

id : 3
Email Address

PortSwigger Lab Environment

This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs. Solve the lab by finding the password for the user carlos, and logging into their account.

When we access the lab environment, we’re greeted by a shopping site and I guess there’s a bot that can help us in the “Live chat” section.

👉🏻Select the Live chat tab.

Live chat

After sending a few messages, we can download the chat history by clicking the “View transcript” button. 👀

👉🏻Send a message and then select View transcript.

View transcript

When we download the chat history, we may notice that there are files in sequential order, such as “2.txt, 3.txt, 4.txt”. We can also observe this situation from the “HTTP history” field under the “Proxy” tab.

So, where is the file named “1.txt”? 🤔

👉🏻Review the URL and observe that the transcripts are text files assigned a filename containing an incrementing number.

HTTP history

Let’s capture the request with Burp Suite and then send it to the “Repeater” to modify the request. After that, we can try to send a GET request for the file named “1.txt” by changing the URL.

👉🏻Change the filename to 1.txt and review the text.

Request

When we examine the response to the request we sent from the “Response” field, we can see the contents of the file named “1.txt”.

Here’s something interesting. I guess Carlos may have forgotten his password… 🤦🏻‍♂️

👉🏻Notice a password within the chat transcript.

Password

Let’s go back and try to log in using Carlos’ credentials from the “My account” tab. 🔐

👉🏻Return to the main lab page and log in using the stolen credentials.

Login
You solved the lab!

Congratulations! We basically learned together how to exploit the “IDOR” vulnerability, which is one of the web application vulnerabilities. 👊🏻

Thank you for your time. See you soon! Until that time.. Happy Hacking

Resources:

https://portswigger.net/web-security/access-control/idor

https://tryhackme.com/room/idor

--

--

Responses (1)