Very simply put, This vulnerability is present when an attacker is able to access an object which he ideally should not be able to access.”Sending the object in the POST can protect from IDOR” .. WRONG. Let’s hit the demo
1)Below is a screen which will change the secret word (can be anything, may be password) and store that in the database.
2)Intercept the request using an intercept proxy, here I have used burp suite
3)Here is our request to change the secret
4)Now I have changed it to “changed secret”
In the above example we see that the how easily the secret can be changed. Let’s do some more harm.Get some money involved new.
1)Below is the portal to book movie tickets.
2)Once confirmed the balance deducted is shown. It may be deducted from an online wallet or something similar.
3)Now we book 20 tickets and intercept the request using burp
4)Intercepted request can be changed for no of tickets
5)See the output… the amount deducted was so large that it went in exponential.
- Tokenization – Mapping tokens in place of direct object. Tokens can be generated in a random way by some means and should not repeat nor easy to guess.