Web Fundamentals | IDOR

7 min readMar 17, 2023

Hi there, I’m glad to see you here. In this article, we’ll examine together the “IDOR” rooms in TryHackMe and PortSwigger. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!

Contents:

What is an IDOR?
An IDOR Example
Finding IDORs in Encoded IDs
Finding IDORs in Hashed IDs
Finding IDORs in Unpredictable IDs
Where are IDORs located?
A Practical IDOR Example
PortSwigger Lab Environment

What is an IDOR?

The Insecure Direct Object References (also known as IDOR) vulnerability exists due to insufficient access control to data objects in web applications that serve data based on user input. IDOR makes it possible for potential attackers to bypass authorization and directly access database records or files that they are not meant to see.

Answer the questions below
❓Q1: What does IDOR stand for?
📣A1: Insecure Direct Object Reference

An IDOR Example

When we examine the emails, we can see that we received an email from the “orders@onlinestore.thm” e-mail address with a link where we can view the order information. ✉️

Now we can view the order confirmation, which contains the order details.

Let’s try changing the URL to view order number 1000. 👈🏼

When we changed the order ID from 1234 to 1000, we displayed another user’s invoice. In this way we verified an IDOR vulnerability on the website.

Answer the questions below
❓Q1: What is the Flag from the IDOR example website?
📣A1: ***{***************}

Finding IDORs in Encoded IDs

When passing data from page to page either by post data, query strings, or cookies, web developers will often first take the raw data and encode it. Encoding ensures that the receiving web server will be able to understand the contents. Encoding changes binary data into an ASCII string commonly using the a-z, A-Z, 0–9 and = character for padding. The most common encoding technique on the web is base64 encoding and can usually be pretty easy to spot.

https://www.base64decode.org 👉🏼 Base64 Decoding
https://www.base64encode.org 👉🏼 Base64 Encoding

Answer the questions below
❓Q1: What is a common type of encoding used by websites?
📣A1: base64

Finding IDORs in Hashed IDs

Hashed IDs are a little bit more complicated to deal with than encoded ones, but they may follow a predictable pattern, such as being the hashed version of the integer value. For example, the ID number 150 would become 7ef605fc8dba5425d6965fbd4c8fbe1f if MD5 hashing were in use.

It’s worthwhile putting any discovered hashes through a web service such as https://crackstation.net (which has a database of billions of hash to value results) to see if we can find any matches.

Answer the questions below
❓Q1: What is a common algorithm used for hashing IDs?
📣A1: md5

Finding IDORs in Unpredictable IDs

A good way to test for IDOR is to first have 2 or more users who have access to different objects on the same website. Both users have to be logged in first. Then one user needs to modify the value of the parameter used to reference objects to be the same as the other user’s. If he is able to retrieve the object that only the other user should see then IDOR is present.

Answer the questions below
❓Q1: What is the minimum number of accounts you need to create to check for IDORs between accounts?
📣A1: 2

Where are IDORs located?

The vulnerable endpoint you’re targeting may not always be something you see in the address bar. It could be content your browser loads in via an AJAX request or something that you find referenced in a JavaScript file.

Sometimes endpoints could have an unreferenced parameter that may have been of some use during development and got pushed to production. For example, you may notice a call to /user/details displaying your user information (authenticated through your session). But through an attack known as parameter mining, you discover a parameter called user_id that you can use to display other users’ information, for example, /user/details?user_id=123.

A Practical IDOR Example

Firstly, we’ll need to log in. To do this, let’s click on the “Customers” section and create an account.

You can enter the “Username”, “Email Address” and “Password” information requested from us as you wish.

Once logged in, let’s click on the “Your Account” tab.

We can start by investigating how this information gets pre-filled.

When we open the browser developer tools, let’s select the “Network” tab and then refresh the page. You’ll see a call to an endpoint with the path “/api/v1/customer?id={user_id}”.

❗️To open the developer tools in Mozilla Firefox:

Open the browser.
Press F12 on the keyboard.
Or click “Menu > Web Development > Inspector”.

This page returns in JSON (JavaScript Object Notation) format the user id, username and email address. We can see from the path that the user information shown is taken from the query string’s id parameter.

We know that the user we created has the ID number 15.

So, if we change the ID number, can we view the information of other users? Let’s try!

Answer the questions below
❓Q1: What is the username for user id 1?
📣A1: adam84

When we changed the ID number from 15 to 1, Adam’s username and e-mail address are visible to us.

❓Q2: What is the email address for user id 3?
📣A2: j@fakemail.thm

When we changed the ID number from 15 to 3, we can view John’s username and email address information.

PortSwigger Lab Environment

This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs. Solve the lab by finding the password for the user carlos, and logging into their account.

When we access the lab environment, we’re greeted by a shopping site and I guess there’s a bot that can help us in the “Live chat” section.

👉🏻Select the Live chat tab.

After sending a few messages, we can download the chat history by clicking the “View transcript” button. 👀

👉🏻Send a message and then select View transcript.

When we download the chat history, we may notice that there are files in sequential order, such as “2.txt, 3.txt, 4.txt”. We can also observe this situation from the “HTTP history” field under the “Proxy” tab.

So, where is the file named “1.txt”? 🤔

👉🏻Review the URL and observe that the transcripts are text files assigned a filename containing an incrementing number.

Let’s capture the request with Burp Suite and then send it to the “Repeater” to modify the request. After that, we can try to send a GET request for the file named “1.txt” by changing the URL.

👉🏻Change the filename to 1.txt and review the text.