-
Notifications
You must be signed in to change notification settings - Fork 178
Insecure Direct Object Reference
Insecure Direct Object Reference (IDOR) occurs when a application exposes a reference to an internal implementation object. By leveraging this behaviour, it is possible to reveal and understand the real identifier and format/pattern used of the element in the by application storage mechanism.This could be leveraged with other access control issues to to access data for other users of the application by enumerating the identifier.
After registering and logging in to the DVWS application frontend (http://dvws.local/
), it is possible to access the notes area. The notes area allows a user to create a note. A note can be created here with specific states ['note', 'reminder', 'list', 'secret', 'public'],
A note any state other than public
should not be accessible by other users.
The API request/response which fetches the created notes data can be seen below:
GET /api/v2/notes/ HTTP/1.1
Host: dvws.local
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoic2FtcyIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNTkxNDQ3MjUwLCJleHAiOjE1OTE2MjAwNTAsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.XIyvc3PAqSlvmD3P7AQImaoMskrT0V3A7uyj1CKLaEw
Connection: close
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: null
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: application/json; charset=utf-8
Content-Length: 475
ETag: W/"1db-hTWceRv/5yS5x4DtBZ1laEtMP3Q"
Date: Sat, 06 Jun 2020 12:56:14 GMT
Connection: close
[{"type":["secret"],"_id":0,"name":"privatenote","body":"hidden secret","user":"sams","Created_date":"2020-06-06T12:42:09.588Z"},{"type":["list"],"_id":1,"name":"test","body":"apple,orange,banana","user":"sams","Created_date":"2020-06-06T12:55:48.840Z"},{"type":["note"],"_id":2,"name":"test","body":"test","user":"sams","Created_date":"2020-06-06T12:55:58.519Z"},{"type":["list"],"_id":3,"name":"foo","body":"foobar","user":"sams","Created_date":"2020-06-06T12:56:12.724Z"}]
By studying the response, it is possible to understand that the _id
parameter is a reference to an internal implementation object, and it is possible to request each note separately by following API logic. E.g. http://dvws.local/api/v2/notes/3
.
As such, it is possible to read notes created by other users by enumeration through object IDs
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- Client Side Template Injection