Insecure direct object reference

Very simply put, This vulnerability is present when an attacker is able to access an object which he ideally should not be able to access.”Sending the object in the POST can protect  from IDOR”  .. WRONG. Let’s hit the demo

DEMO

EXAMPLE 1 

1)Below is a screen which will change the secret word (can be anything, may be password)  and store that in the database.

1idor
New secret is “new secret”

2)Intercept the request using an intercept proxy, here I have used burp suite

2idor
“Intercept is on” so that all the requests are intercepted

3)Here is our request to change the secret

3idor
Highlighted portion is our entered secret

4)Now I have changed it to “changed secret”

4idor
See highlighted changed secret

In the above example we see that the how easily the secret can be changed. Let’s do some more harm.Get some money involved new.

EXAMPLE 2

1)Below is the portal to book movie tickets.

5idor
we just need to enter the ticket number

2)Once confirmed the balance deducted is shown. It may be deducted from an online wallet or something similar.

6idor
Fair enough 1 ticket = 15 EUR

3)Now we book 20 tickets and intercept the request using burp

7idor
20 tickets booked

4)Intercepted request can be changed for no of tickets

8idor
see highlighted

5)See the output… the amount deducted was so large that it went in exponential.

9idor
What is the ticket no was changed to 21 instead of 2000000000000000

REMEDIATION

  • Tokenization – Mapping tokens in place of direct object. Tokens can be generated in a random way by some means and should not repeat nor easy to guess.10idor.PNG
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s