惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
Google DeepMind News
Google DeepMind News
S
SegmentFault 最新的问题
Project Zero
Project Zero
D
DataBreaches.Net
I
InfoQ
L
Lohrmann on Cybersecurity
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
The Register - Security
The Register - Security
Recorded Future
Recorded Future
Vercel News
Vercel News
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
I
Intezer
The Hacker News
The Hacker News
F
Fortinet All Blogs
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
Help Net Security
Help Net Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Scott Helme
Scott Helme
T
Threatpost
爱范儿
爱范儿
N
Netflix TechBlog - Medium
D
Docker
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
K
Kaspersky official blog
H
Help Net Security
S
Secure Thoughts
T
Threat Research - Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Security @ Cisco Blogs
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
G
Google Developers Blog
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
博客园 - 叶小钗
B
Blog
Google DeepMind News
Google DeepMind News
Recent Announcements
Recent Announcements
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
P
Privacy International News Feed
Spread Privacy
Spread Privacy
The Last Watchdog
The Last Watchdog

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
Revisiting Insecure Direct Object Reference (IDOR)
BHIS · 2024-02-09 · via Black Hills Information Security, Inc.

, , , , , ,

The new year has begun, and as a penetration tester at Black Hills Information Security, one thing really struck me as I reflected on 2023: a concerningly large number of web applications suffered from insecure direct object reference (IDOR) vulnerabilities that were critical in severity because they exposed highly sensitive data. In the last four months of 2023 alone, I discovered five such instances. This issue is slipping through the cracks with alarming frequency, even in web applications that are otherwise fairly well-secured.

Those of you who are unfamiliar with IDOR should consider checking out Kelsey Bellew’s blog post from February 2016 HERE for a great high-level overview. I will also be covering the basics of IDOR here, as well as additional tips for preventing and detecting it.

In essence, IDOR is when an authenticated user of a web application is able to gain unauthorized access to resources by changing the value of an identifier in an HTTP request. There are a number of spots in the HTTP request where these identifiers may be, such as a URL query strings, HTTP POST parameters, or even in cookie values.

If the web application makes an HTTP POST request to retrieve the name, email address, and phone number of the current user with an ID of 10001 and changing the ID in the request to 10009 returns the name, email address, and phone number of an entirely unrelated user, then IDOR has been successfully exploited. This is a consequence of the application failing to check whether a user is authorized to access a particular set of information while carrying out a request.

Below is a step-by-step example of IDOR exploitation. First, the user, Sideshow Bob, accesses his own data through normal means at the URL, /user/10001.json.

Authorized Access to User Data

The HTTP request that returned the above data is intercepted with Burp Suite and sent to the Burp Suite Intruder module. The number 1 in the URI /user/10001.json is specified as a payload position.

Burp Suite Intruder – Payload Position Configuration

Next, the Burp Suite Intruder is configured to inject the numbers 0 through 9 into the payload position.

Burp Suite Intruder – Payload Set Configuration

The resulting Burp Suite Intruder output returns not just Sideshow Bob’s data, but also Bart Simpson’s data at /user/10009.json, which Sideshow Bob was not intended to view.

Burp Suite Intruder Results – Unauthorized Access to Another User’s Data

The fact that IDOR, by definition, can only be performed post-authentication may give some developers a false sense of security regarding this issue. However, if the vulnerable web application has a registration page allowing anyone to make a new user account, the information is as good as public because anyone on the internet could make an account and access that data. Even if account registration is restricted, the potential for damage is so substantial that the risk from IDOR attacks should not be taken lightly.

Because unsecured identifiers may be used while the application carries out a variety of actions, the consequences of IDOR can be wide-ranging. Examples of IDOR attacks that I have successfully exploited over just the past few months include:

  • IDOR affecting password change functionality, which made it possible to change the password of any user in the application.
  • IDOR that allowed low-privilege users to perform admin functions, such as user impersonation, password changes, and modification or deletion of user accounts.
  • IDOR that disclosed large amounts of personal information about every user in the system, including full names, mailing addresses, email addresses, phone numbers, and other sensitive data. This information can be very damaging to a company’s reputation if it winds up in a data dump on the dark web.

Preventing and addressing IDOR requires both developers and penetration testers to be proactive, with the steps I’ve outlined below.

Tips for Testers – Discovering IDOR

  • Examine HTTP requests while you are exploring the application and test for IDOR using the Burp Suite Intruder as described earlier in this blog post. Care needs to be taken when performing these tests in production, but whenever possible, it is prudent to inject hundreds or thousands of numbers as payloads, as numeric identifiers are not always sequential, and a large number of guesses may be necessary to successfully identify IDOR.
  • Know what information in the environment is considered sensitive. Sometimes it is obvious which data is sensitive, but sometimes it’s not. Work with the stakeholders to understand which data they are most concerned about.
  • Once you have identified which data is most sensitive, identify which endpoints return this data and prioritize testing those, especially if there is a limit to how much time you can spend testing an application.
  • Be extremely thorough. Even if access controls are enforced correctly in 99 out of 100 endpoints, that one unenforced endpoint can expose a lot of information.
  • Whenever possible, perform testing with two user accounts per privilege level. If there are so many user account privilege levels that this would be impractical, aim to test with user accounts that have the least level of privilege and the highest level of privilege at a minimum.
  • Be wary of false alarms. Authenticated users are often intended to access certain personally identifiable information in certain contexts. For example, an application accessible only to company employees may have a company directory with employees’ contact information so that coworkers can get in touch with one another. Business addresses and business phone numbers for sales representatives may be appropriate to reveal even without authentication, whereas the same individuals’ home addresses may not be appropriate to reveal even to authenticated users. Context is key.
  • The Burp Suite extension, Autorize, is helpful for automating access control checks, particularly when the tester has access to multiple user accounts.

Tips for Developers – Preventing IDOR

  • Every time a user accesses a resource or performs an action, a check needs to be performed to verify that the user is authorized to access that resource or perform that action.
  • IDOR needs to be considered every time new code is deployed. Most of the time when I discover IDOR, access controls are enforced correctly 99% percent of the time, but one or two endpoints slip past any previously utilized quality checks and wreak havoc.
  • Keep in mind that IDOR is a business logic flaw. Vulnerability scanners may be great at detecting things like cross-site scripting, but they aren’t going to pick up on nuanced logic such as “Customer A should have access to Customer B’s data, but not Customer C’s” data.
  • Using unpredictable identifiers, such as GUIDs, may make IDOR more difficult to discover, but it is not a replacement for correctly enforcing security controls. If the GUIDs are disclosed anywhere in the application or sent over a URL, IDOR may still be exploited.
  • Consider adding checks for IDOR as integration tests or acceptance tests as described here.

Hopefully this post has given you some things to think about regarding IDOR. Given how prolific and consequential this vulnerability is, we all need to do our part to keep an eye out for it.



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand