THM — IDOR WriteUp
This is a Walkthrough room on TryHackMe with “Easy” difficulty. It is part of the “Jr Penetration Tester” Learning Path under the “Introduction to Web Hacking” module. In this blog article I will explain what an IDOR vulnerability is, how to exploit it and how to mitigate it.
What is IDOR?
IDOR stands for Insecure Direct Object Reference. It describes a type of vulnerabilities in the authentication functionality of a web application. The vulnerabilities exists if user supplied input is used to retrieve objects without validated the input. The following fictional example describes an IDOR vulnerability:
You have signed up to an online shop. By going through your orders you spot the following URL: https://www.shop.localhost/shopping_cart?user_id=1234. Now if you change the user_id to something like 1000 (full URL: https://www.shop.localhost/shopping_cart?user_id=1000), you will see the shopping cart of another user.
Sometimes instead of using an integer in the URL(e.g. 1234), this data gets encoded. A widely used encoding is base64. If you encode 1234 with base64 you will get MTIzNA==. You can do that with Online Tools such as Cyber Chef or use Bash:
echo -n "1234" | base64Decoding the base64 string is easy. Just use Cyber Chef again or your command line:
echo "MTIzNA==" | base64 -dAnother way parameters might be transferred is by using hashing. For example, the value 1234 might be hashed with MD5: 81dc9bdb52d04dc20036dbd8313ed055. If you have values like this then you would also need to hash your value. This can be done with Online Tools or the following Bash command:
echo -n "1234" | md5sumIf you need to crack hashes, try a service like Crackstation. Or use cracking tools like, e.g. Hashcat, JohnTheRipper.
Also keep in mind that values might not be seen in the URL. Maybe the web app uses JavaScript to get the data. So always check the scripts and the network communication with your Devtools of your browser.
Finally to make finding IDOR vulnerabilities easier, e.g. in Bug Bounty, you could just create two accounts. Then try to access URL or resources from one account by using the ID of the other account.
A practical IDOR vulnerability
Before trying to find a vulnerability in the web app of this challenge, we have to create an account. Navigate to the sign up page (URI: /customers/signup) and create an account. After that you should be logged in.
You can change your account settings on “Your Account” page. If you navigate to the page some of the data will be populated via JavaScript.
After we open the network tab in the developer tools and refresh, we can see that there is an API request made.
The response contains the user ID, username and email:
We can now try reading the data of the user with the user ID 1. This can be accomplished by sending a GET request to /api/v1/customer?id=1
We can also read the information of the user with the ID 3
Mitigation
To mitigate IDOR vulnerabilities, a developer should always check if the requesting subject has permissions to access the requested object.
