Insecure Direct Object References (IDOR)

CWE-639: Authorization Bypass Through User-Controlled Key

Understanding Insecure Direct Object References (IDOR)

What is IDOR?

Insecure Direct Object References (IDOR) occur when an application uses user-supplied input to access objects directly without proper access control checks. This vulnerability can lead to unauthorized access to data or functions, enabling attacks such as horizontal and vertical privilege escalation.

How IDOR Occurs

IDOR vulnerabilities typically arise when the application fails to verify if a user is authorized to access or manipulate an object. These vulnerabilities are most commonly associated with horizontal privilege escalation (accessing data of other users at the same privilege level) but can also involve vertical privilege escalation (accessing data or functions reserved for higher privilege levels).

6. C#/.NET Example (ASP.NET MVC)

Scenario: An ASP.NET MVC application allows users to view their orders by passing an order ID in the query string.

Vulnerable Code:

// Vulnerable code: No access control check
public ActionResult ViewOrder(int orderId)
{
    var order = db.Orders.Find(orderId);
    return View(order);
}

Explanation:

The application directly uses the orderId parameter to retrieve order information.
An attacker can modify the orderId in the query string to view orders belonging to other users.

Checklist for Testing IDOR Vulnerabilities

1. Identify User-Controlled Parameters

Review URLs, POST bodies, headers, and cookies for parameters that reference objects (e.g., user_id, file_id, etc.).
Look for identifiers exposed in client-side code or API responses.

2. Test Parameter Manipulation

Attempt to change the parameter value to that of another user’s ID or object reference.
Observe if unauthorized data or functions are exposed.

3. Examine API Endpoints

Review RESTful API endpoints for object references in URLs or request bodies.
Test different object IDs in API requests to see if unauthorized data is returned.

4. Test with Different User Roles

Use accounts with different privilege levels (e.g., admin, regular user, guest) to test if object references can be used to escalate privileges.``

Pro Tip:

Identify Authentication Methods: Make sure to capture the session cookie, authorization header, or any other form of authentication used in requests.
Use Auth-Analyzer in Burp Suite: Pass these authentication tokens to the Auth-Analyzer Burp extension. This tool will replay all requests with the captured session information.
Test with Another User: Log in as a different user and activate the Auth-Analyzer extension. If you see the SAME tag in the extension results, this could indicate an IDOR vulnerability.
Manual Verification: Always manually check the request to confirm whether the vulnerability is genuine.
Assess ID Predictability: Determine if the IDs are predictable. If they aren't, investigate where they might be leaked, such as in other API responses. This could help in further exploitation or verification of the vulnerability.

UUID/GUID

UUID (Universally Unique Identifier) or GUID (Globally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. They are widely used in databases, software development, and distributed systems to ensure that identifiers are unique across different systems and times.

UUIDs are typically represented as a series of hexadecimal digits, often split into five groups, separated by hyphens. For example: 123e4567-e89b-12d3-a456-426614174000.

Types of UUID

Tools for decoding and analyzing UUIDs

UUID Decoder | UUIDTools.comwww.uuidtools.com

The version and variant are encoding within UUIDs.

Version Digit ("M")

Hex Digit

UUID Version

version-1

version-2

version-3

version-4

version-5

6 - f, 0

version unknown

Variant digit ("N")

Binary Representation ‡

Hex Digit

Variant

0xxx

0 - 7

reserved (NCS backward compatible)

10xx

8 - b

DCE 1.1, ISO/IEC 11578:1996

110x

c - d

reserved (Microsoft GUID)

1110

reserved (future use)

1111

unknown / invalid. Must end with "0"

Nil UUID – Version 0

00000000-0000-0000-0000-000000000000

Usually used for fixed UUIDs like for testing accounts and default credentials,.............

Time-based UUID – Version 1

e6e3422c-c82d-11ed-8761-3ff799965458

this kind of UUIDs is time and node based and the Clock part is usually random

As you might expect, relying on UUID v1 for sensitive actions is inherently insecure. In this video, a scenario is demonstrated where an application uses UUID v1 as a token for password resets. An attacker can easily extract other users' UUIDs (eg. from creating account or API calls), determine the timestamp, and either manually generate valid password reset tokens or brute-force the clock component.

DCE Security UUID – Version 2

b165e8c6-5e9a-21ea-9e00-0242ac130003

Name-based UUID - Version 3 and 5

18f99f82-61f7-3530-8d8a-8fdf2cd0cae0
b21b95a4-56c3-51de-8828-1bb7bd249fd2

Randomly Generated GUID - Version 4

0d706e07-75b5-4553-8abd-6c3d52fdbf70

Hacking Unpredictable IDORs

Unpredictable IDs may seem secure, but there are various ways they can still be found:

Wayback Machine: This archive service can store old URLs, which might contain unpredictable IDs. You can search it using:
```
https://web.archive.org/cdx/search/cdx?url=*.test.com/*&output=text&fl=original&collapse=urlkey
```
AlienVault OTX: This threat intelligence platform inadvertently archives URLs, which might have unpredictable IDs in parameters or paths. Use the API:
```
https://otx.alienvault.com/api/v1/indicators/{TYPE}/{DOMAIN}/url_list?limit=500
```
URLScan: This tool scans websites for malicious content, often logging unpredictable IDs in URLs:
```
https://urlscan.io/api/v1/search/?q=domain:{DOMAIN}&size=10000
```
Common Crawl: This project archives web pages, which may contain unpredictable IDs:
```
https://commoncrawl.org/
```

VirusTotal: This service analyzes suspicious URLs, which might leak IDs:

https://www.virustotal.com/vtapi/v2/domain/report?apikey={APIKEY}&domain={DOMAIN}

Atomated tools: Collect urls using automated ools like waymore,waybackurls and gau and then using regex extract urls that otains uuids on it

GitHub - xnl-h4ck3r/waymore: Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan, VirusTotal & Intelligence X!GitHub

Fixed-IDs

Interestingly, the application used some fixed UUIDs like 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111 for some _administrative_ users

OLD UUIDs: If you can leak some old IDs using wayback machine for instance, you might be able to brute force sequentially the ones after.

Code Examples

1. PHP Example

// Incorrect (Vulnerable)
$user_id = $_GET['user_id'];
$query = "SELECT * FROM users WHERE id = $user_id";
$result = mysqli_query($conn, $query);

// Correct (Secure)
session_start();
$current_user_id = $_SESSION['user_id'];
$query = "SELECT * FROM users WHERE id = $current_user_id";
$result = mysqli_query($conn, $query);

2. JavaScript/Node.js Example

// Incorrect (Vulnerable)
app.get('/user/:id', (req, res) => {
  const user = db.users.find(req.params.id);
  res.send(user);
});

// Correct (Secure)
app.get('/user/:id', (req, res) => {
  const user = db.users.find(req.params.id);
  if (user.id !== req.session.userId) {
    return res.status(403).send('Access Denied');
  }
  res.send(user);
});

3. Python/Flask Example

# Incorrect (Vulnerable)
@app.route('/user/<int:user_id>')
def get_user(user_id):
    user = User.query.get(user_id)
    return jsonify(user.serialize())

# Correct (Secure)
@app.route('/user/<int:user_id>')
def get_user(user_id):
    if user_id != current_user.id:
        return jsonify({"error": "Access Denied"}), 403
    user = User.query.get(user_id)
    return jsonify(user.serialize())

Prevention Techniques

Always verify that the user is authorized to access or modify the object.
Use session or JWT tokens to determine the current user instead of relying on user-controlled parameters.
Avoid Exposing Identifiers in URLs