IDOR hands-on tutorial with multiple techniques
Вставка
- Опубліковано 31 тра 2024
- Hello ethical hackers and welcome again to this OWASP Top 10 training series. In this hands-on IDOR tutorial, you will practice what you’ve learned about the IDOR vulnerability we explored earlier. Specifically, you will leverage IDOR to:
- Access other users’ data using simple IDs and UUIDs
- Impersonate other users
- Hunt for hard IDs
- Delete other users’ data
If you don’t know what id IDOR, RESTful APIs or HTTP methods, I highly recommend you read the article below. That way, you will take full advantage of this IDOR tutorial.
I will be releasing new similar hands-on tutorials to help you practice security vulnerabilities. Make sure you stay up-to-date by subscribing to this channel.
=================
IDOR theory blog post: thehackerish.com/idor-explain...
IDOR practice tutorial: thehackerish.com/idor-tutoria...
Follow us on Twitter: / thehackerish
Facebook Page: / thehackerish
================
IDOR stands for Insecure Direct Object Reference. The name might be long to remember, but it's accurate. Let me break that down for you. I will make key concepts in bold so that it’s easier for you to connect the dots and understand IDOR meaning.
Typically, every application is meant for a business. To do that, it has to manipulate resources. For instance, an ecommerce website will manipulate products, users, baskets, etc. Each resource instance will be called an object, and it is generally referenced by an ID. For example, user A will have ID1 and user B will have ID2. IDOR vulnerability targets a flaw in the way the application references these objects. In other words, any insecure or lack of validation can lead to a malicious user directly accessing unauthorized resources.
I tried to put all the keywords into place. Hopefully, this makes sense for you now. If it is not clear, don’t worry. The following sections will make it crystal clear.
IDOR falls into the OWASP Broken Access Control vulnerability category. This means that you will find most of IDOR vulnerabilities after you authenticate to the application. However, there might be some exceptions.
The most basic IDOR scenario happens when the application references objects using easy to guess IDs. For example, they can be incremental integers, they can contain predictable words like the email of the user, or a folder name. Sometimes, they can be poorly encoded. For instance, a base64 encoded incremental integer, or a profile image name hash reference.
Sometimes, the application uses IDs which are hard or even impossible to guess. In this case, it is most likely to be a Globally Unique Identifier (GUID). You can also find it under the name of universally unique identifier (UUID).
In this case, you can perform more enumeration on the application. In other words, try to discover as many features as you can. You will likely find endpoints which return a list of objects, each one referenced using an publicly available GUID. For example, the user public profile might return its GUID.
If UUIDs are not publicly available, you can still test for the IDOR vulnerability. Although the impact might be lower, I’ve seen many instances where the issue has been accepted by the client as valid. Moreover, if there is a CSRF issue or a CORS misconfiguration, you can exfiltrate UUIDs and forge your malicious requests with ease.
This is, with no doubt, the best video I've seen on the subject.
Thanks! Share the love
such a great video easy to follow and direct, with plenty of examples thank you
I am happy it was helpful. Thank you for your kind feedback!
@@thehackerish Thank you so much for taking the time to help educate us on how we can bounty, I am excited to get into this new, for me, field
Thank you so much brother 🙏❤️
Nice work +1
keep up the good work! I'd like to invite you to our discord server where you can share these videos as well. Let me know and I'll send an invite!
Thank you for your kind words! You can DM me
Nice explanation @thehackrish
Thanks, enjoy!
Good
PLease make more videos!
I will do my best :)
Nice video but it will be better if using burp as its the standard and more cleaner and familiar, thanks mate
Thanks for your comment! As a web security pentester or a bug bounty hunter, you should have knowledge of both tools. They both have strengths and weaknesses. There are some who use ZAP, there is even a LevelUp talk on Bugcrowd dedicated to it , with an awesome side-by-side comparison :) Here it is ua-cam.com/video/7WL-emt5PDc/v-deo.html
🦋