Insecure Direct Object Reference (IDOR) vulnerabilities are prevalent in modern web applications and APIs, making them a prime target for novice and experienced bug bounty hunters. Despite their simplicity in concept, IDOR vulnerabilities can lead to severe security breaches, exposing sensitive data or enabling unauthorised actions.

In this article, we will explore identifying and exploiting IDOR vulnerabilities, delving into basic and advanced scenarios. Let’s begin with a clear definition of IDOR vulnerabilities.

Understanding IDOR Vulnerabilities

IDOR vulnerabilities occur when an application takes user input to directly reference a data object, such as a database field or a file in storage, without proper access control validation. This means the application fails to verify whether the requester is authorized to access or modify the object.

Due to this lack of access control, attackers can manipulate input to gain access to or alter data they should not be able to. This can result in the exposure of sensitive information or unauthorised changes to data, making IDOR vulnerabilities highly critical.

Identifying IDOR Vulnerabilities

To identify IDOR vulnerabilities, look for components that use unique identifiers to reference objects. Developers are encouraged to use unpredictable identifiers, but predictable IDs, like numerical values, are still commonly used. The key indicators of potential IDOR vulnerabilities include:

1. Direct Object References: Identifying references to objects through IDs in URLs or request bodies.

2. State-Changing Actions: Actions that modify or retrieve non-public data.

Despite the perception that IDOR vulnerabilities are easy to spot, finding them requires diligent testing and exploration of under-tested functionalities.

Basic IDOR Exploitation

Basic IDOR exploitation involves manipulating predictable identifiers to access or modify unauthorised data. For example, changing a numerical ID in a request to another user's ID might allow access to their data.

Advanced IDOR Exploitation Techniques

1. Parameter Pollution: Test for parameter pollution where multiple values for the same parameter are handled in unpredictable ways. This can bypass certain checks.

2. JSON Globbing: Experiment with different JSON body structures. Input variations like arrays, boolean values, wildcard characters, large integers, negative values, decimal numbers, or string values with delimiters can reveal vulnerabilities.

3. Method-Based IDOR: Change the HTTP request method (e.g., GET to POST) to see if access control checks are bypassed, allowing unauthorised actions or data retrieval.

4. Content-Type-Based IDOR: Alter the content-type header in requests to manipulate how the application processes the input, potentially bypassing access controls.

5. Deprecated API Versions: Exploit older API versions that lack security patches implemented in newer versions.

6. Static Keywords in APIs: Replace static keywords like "current" or "me" with numerical IDs to test for IDOR vulnerabilities.

7. Unpredictable IDs: Even with UUIDs or hashes, explore ways to enumerate these IDs through various endpoints or other references such as public profiles or search engine results.

8. Second-Order IDOR Vulnerabilities: These involve indirect references where user input is stored and later used to access objects. For example, scheduled tasks that retrieve and use stored user IDs without additional checks.

Conclusion

IDOR vulnerabilities, while straightforward in concept, can be highly detrimental if exploited. Security professionals and bug bounty hunters can better protect and secure web applications by understanding the various techniques for identifying and exploiting these vulnerabilities.

Now that you’ve learned about IDOR vulnerabilities, it’s time to put your skills to the test. Explore various bug bounty programs and see if you can uncover these vulnerabilities in real-world applications. Happy hunting!

Join our researcher community and start hunting with Com Olho. Sign up at https://cyber.comolho.com/user/signup/.