Sunday, 1 July 2018

How To: Explaination Of IDOR(Insecure Direct Object Reference) With Example

The fourth vulnerability on the Top 10 OWASP list is IDOR(Insecure Direct Object Reference). This vulnerability allows an attacker to change the content of other users by manipulating parameters pointing to an object. AN attacker can change the resources of other users like files in the system, change profile picture of another account, deleting data and many more. It happens when the application tries to retrieve the data from the database without performing any authorization checks. You can test this vulnerability by mapping out all the locations where user input is supplied. Now we will test this vulnerability on bwapp vulnerable application. 

Installation Of bWAPP

Let’s start……

You first need to install bWAPP in you kali Linux system. After installing start the Apache and MySQL services in Kali by the following command:
service apache2 start
service mysql start

Also Check: CSRF Tutorial 

Now browse to the following URL in Mozilla browser and log in with the default bWAPP credentials:
User: bee
Password: bug

I have created a new user in bWAPP to test for IDOR. You can create a user by clicking the create new user option in the menu bar.

Now select the Insecure Direct Object Reference(Change Secret) Vulnerability and click hack, to begin with it.

After all, run the burp suite and intercept the request. Put anything in the new secret field and click change.

Now you can see that we successfully captured the request now I will change the login=bee to login=newuser. Here newuser is another account that I created before and let the request be forwarded.

You can see that the secret key of newuser account has been changed successfully without his authorization. Now let's look at another example of Insecure DOR. Many people today buy things online for their use or for any service. site is used to order tickets for movies online. Let’s look at the similar example like where we will order tickets at the low price by manipulating the parameters.

The price per ticket is 15 EUR, but we will order 15 tickets in 15 EUR by manipulating the parameter. Let’s start.

 Here you can see that ticket_price parameter, we will change the price to 1 EUR in order to buy tickets for 15 EUR and forward the request.

You can see that we successfully ordered 15 tickets just for 15 EUR. This is another example of IDOR.


Delivered by FeedBurner