Insecure Direct Object References (IDOR) has been placed fourth on the list of OWASP Top 10 Web application security risks since 2013. It allows an authorized user to obtain information from other users and could be established in any type of web applications. Basically, it allows requests to be made to specific objects through pages or services without the proper verification of requester’s right to the content.
OWASP definition: Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks.
The Application uses untested data in a SQL call that is accessing account information.
Let consider a scenario where a web application allows the login user to change his secret value.
Here you can see the secret value must be referring to some user account of the database.
Currently, user bee is login into a web server for changing his secret value but he is willing to perform some mischievous action that will change the secret value for another user.
Using burp suite we had captured the request of the browser where you can see in the given image login user is the bee and secret value is hello; now manipulate the user from another user.
SQLquery = “SELECT * FROM useraccounts WHERE account = ‘bee’;
Now let’s change user name into raj as shown in the given image. To perform this attack in an application it requires at least two user accounts.
SQLquery = “SELECT * FROM useraccounts WHERE account = ‘raj’;
Great!!! We have successfully changed the secret value for raj.
Note: in any official website the attacker will replace user account from an admin account.
Let take another scenario that looks quite familiar for most of the IDOR attack.
Many times we book different order online through their web application, for example, bookmyshow.com for movie ticket booking.
Let consider the same scenario in bwapp for movie ticket booking, where I had book 10 tickets of 15 EUR for each.
Now let’s confirm it and capture the browser request through burp suite.
Now you can see we have intercepted request were highlighted text contains a number of tickets and price of one ticket i.e 15 EUR it means it will reduce 150 EUR from my (user) account; now manipulate this price from your desired price.
I had changed it into 1 EUR which means now it will reduce only 10 EUR from the account, you can observe it from a given image then forward the request.
Awesome!!! We had booked the 10 tickets in 10 EUR only.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here