Skip to content

02 Access Control

Introduction

  • IDOR - Insecure Direct Object Reference
  • IDOR vulnerability is when changing some id value will display another user's information.
  • Example: https://onlinestore.thm/order/1000/invoice if the value 1000 is changed to another value then it will display the invoice of the corresponding user.

Encoded IDs

  • IDs can also be encoded instead of referring it directly.
  • Base64 is the most commonly used encoding format in websites.
  • Instead of 1000 the encoded value MTAwMA== can be used.
  • Below website can help in encoding and decoding values.
  • https://gchq.github.io/CyberChef/

Hashed IDs

  • Hashed ids are little more complicated than encoded ids.
  • In md5 hashing, the id 123 would become 202cb962ac59075b964b07152d234b70.
  • Below websites can help in finding the value for hashes.
  • https://hashes.com/
  • https://crackstation.net/

Unpredictable IDs

  • An excellent method of IDOR detection is to create two accounts and swap the Id numbers between them.
  • If you can view the other users' content using their Id number while still being logged in with a different account (or not logged in at all), you've found a valid IDOR vulnerability.

Where are IDORs Located?

  • The vulnerable endpoint you're targeting may not always be something you see in the address bar.
  • It could be content your browser loads in via an AJAX request or something that you find referenced in a JavaScript file.
  • For example: /user/details?user_id=123.

Note: Select the request in developer tools and select the option Copy as curl.