Insecure Direct Object References (IDOR)

Overview Insecure Direct Object Reference may result when the application retrieves or accesses a resource using the resource itself as the reference to lookup or identify the resource. Examples may include passing the filename of a document to retrieve, relocating to a URL after allowing the browser to send the URL as a parameter value or including an include file based on the browser sending the include file path and name. Discovery Methodology For each parameter passed that identified a resource, determine if the value is the resource itself or if the application only accepts a token which is meaningless outside of that context. For example, if the site expects an include file name to be passed, this could be a direct object reference. Alternatively if the site expects an integer which the server later maps to the include file to display, the site is not likely to be vulnerable to this issue. Exploitation Based on the type of resource, submit other values to the server in order to gain access or load content to which the user is not authorized. Example: Local and Remote File Inclusion Note the page parameter in NOWASP URLs. This parameter is the include file to load within the main frame. Since this parameter loads any file passed, attempt to pass a local file or remote file URI. Example: Accessing system files Step 1: Recon: Obtain list of files Possible Technique: Use command injection Page: dns-lookup.php Value (Windows): && dir /w Value (Linux): && pwd && ls -l Possible Technique: Use robots.txt Possible Technique: Use directory browsing Possible Technique: Use directory brute-forcing Possible Technique: Guess Step 2: Gaining Access: Retrive system files Page: source-viewer.php Technique: Use an interception proxy like Burp to change the value of the phpfile parameter. Use parent directory (..) to bypass jails. Tool: Tamper Data, Paros, WebScarab, Burp Field: phpfile Value: <system file path>, ../../../boot.ini, ..\..\..\WINDOW\System32\drivers\etc\hosts, ../../../etc/passwd Videos Click here to watch Introduction to Fuzzing Web Applications with Burp-Suite Intruder Tool Click here to watch How to Exploit Local File Inclusion Vulnerability using Burp-Suite Click here to watch ISSA 2013 Web Pen-testing Workshop - Part 6 - Local/Remote File Inclusion Click here to watch How to Show Secret Page in Security Level 5