Introduction

We covered Insecure Direct Object Reference Vulnerability and how to exploit it. You’re going to learn what an IDOR vulnerability is, what they look like, how to find them and a practical task exploiting a real case scenario.

What is an IDOR?

IDOR stands for insecure direct object reference. Web developers design an application to directly retrieve information from a database based on an argument provided by the user in either a query string or a POST request. For example, this query string might be used to retrieve a document from a document management system

https://www.mycompany.com/getDocument.php?documentID=1842

The attacker can modify the above link to
attempt to retrieve other documents, such as in these examples

https://www.mycompany.com/getDocument.php?documentID=1841

https://www.mycompany.com/getDocument.php?documentID=1843

https://www.mycompany.com/getDocument.php?documentID=1844

Doing so allow the attacker to retrieve pages with content that belongs to other users such as the ability to modify or view hidden pages.

OSCP Study Notes

Web Hacking & Pentesting Study Notes

Practical Demonstration of IDOR

  1. Initial Setup:
    • Navigate to a TryHackMe challenge URL for IDOR.
    • Deploy the machine to get an IP address.
    • Log in or create a test account to access user-specific data.
  2. Identifying a Vulnerable URL:
    • Review email links or web pages for parameters like ID=1234.
    • Test whether changing the parameter value grants access to other users’ data.
  3. Exploitation Example:
    • Navigate to a URL containing ID=1234 and manually change the ID to ID=1000.
    • If the page displays data from another user or resource, the application is vulnerable.
    • The example showed retrieving data such as usernames, emails, and account IDs by iterating through different IDs.

Finding IDOR Without Visible IDs

  • Steps:
    • Use browser developer tools (e.g., Network tab) to inspect HTTP requests.
    • Look for hidden IDs in requests to APIs or backend endpoints.
    • Modify these IDs to test access control.
  • Example:
    • A request GET /api/v1/customer?id=15 shows the user’s details.
    • Changing id=15 to another value (e.g., id=1) may reveal another user’s data.

Key Takeaways

  • How IDOR Works:
    • Exploits improper or missing access control mechanisms.
    • Allows attackers to enumerate or access unauthorized resources by changing parameters.
  • Preventing IDOR:
    • Implement proper access control checks on the server.
    • Validate user permissions for every requested resource.
  • Real-World Relevance:
    • IDOR is part of the OWASP Top 10 vulnerabilities.

Room Answers | TryHackMe IDOR

What does IDOR stand for?
What is the Flag from the IDOR example website?
What is a common type of encoding used by websites?
What is a common algorithm used for hashing IDs?
What is the minimum number of accounts you need to create to check for IDORs between accounts?
hat is the username for user id 1?
 

What is the email address for user id 3?

 

Video Walk-Through

 

, , , ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles