Access Control

Introduction

• IDOR - Insecure Direct Object Reference
• IDOR vulnerability is when changing some id value will display another user's information.
• Example: https://onlinestore.thm/order/1000/invoice if the value 1000 is changed to another value then it will display the invoice of the corresponding user.

Encoded IDs

• IDs can also be encoded instead of referring it directly.
• Base64 is the most commonly used encoding format in websites.
• Instead of 1000 the encoded value MTAwMA== can be used.
• Below website can help in encoding and decoding values.
  • https://gchq.github.io/CyberChef/

Hashed IDs

• Hashed ids are little more complicated than encoded ids.
• In md5 hashing, the id 123 would become 202cb962ac59075b964b07152d234b70.
• Below websites can help in finding the value for hashes.
  • https://hashes.com/
  • https://crackstation.net/

Unpredictable IDs

• An excellent method of IDOR detection is to create two accounts and swap the Id numbers between them.
• If you can view the other users' content using their Id number while still being logged in with a different account (or not logged in at all), you've found a valid IDOR vulnerability.

Where are IDORs Located?

• The vulnerable endpoint you're targeting may not always be something you see in the address bar.
• It could be content your browser loads in via an AJAX request or something that you find referenced in a JavaScript file.
• For example: /user/details?user_id=123.

Note: Select the request in developer tools and select the option Copy as curl.