Creator

Me

zseano
 


About Hey! I'm zseano and I run BugBountyNotes. I do bugbounties full time and I managed to reach the top 10 on bugcrowd in just 8months from one program. I am lucky to attend live events by HackerOne and this is what inspired me to create this! :) I specialise in webapp testing and I love helping others. Feel free to reach out

IDOR (Insecure Direct Object Reference)


What is an IDOR? An IDOR is simply https://api.example.com/api/user/139349 - in which you supply the endpoint with a userid/guid, or some sort of identification and it'll execute & respond. An application that is not vulnerable will not let you change 139349 to another users ID, but if it is vulnerable, the IDOR bug would enable a malicious user to enumerate https://api.example.com/api/user/x & leak users information. IDOR stands for "Insecure Direct Object Reference".

Over my time as a bugbounty hunter i've reported countless idors resulting in ~250,000,000 details being leaked, and this post is designed to outline the process I use. IDORs can exist throughout the entire application so it is always suggested that if you see IDs then to always test, even if they are guids (look for ways to obtain that guid, on the users profile maybe?)

Features to test

  1. Opt out links

    These sometimes just contain a userid arguement to opt out and will usually reveal the users emails. These can be found in emails they send you. Signup to all newsletters!

  2. Mobile Apps

    80% of my IDOR findings are from mobile apps. Most mobile apps use a simple API system to log the user in, display their information etc. A lot of API's just take a userid parameter and will usually reveal all their information to you, as shown above in the example.

  3. Updating account settings

    Sometimes when updating your account settings, they'll send your userid as a parameter. Manipulating this can sometimes result in another users profile being edited. Don't forget that if one feature is vulnerable to IDOR then it may be a site-wide issue (and don't forget to check mobile site!)

  4. Reset password

    The same as above. Mongobug was able to do this on Uber but instead of a userID, he had to supply the users number. Not hard to obtain though right and earned himself a nice $10k, check it out here: https://hackerone.com/reports/143717

  5. Anytime you see some sort of indentifer

    This can mean a simple ID (1), or a guid (425d1126-4139-4067-ac68-d9caafdf2b46), or some other value. The key is to look for values which identifies you when interacting with the site/API, then to check if you can provide another users ID (your second testing account), and if yes, you have a bug. If it's something like a GUID then you should look for potential places it may be leaked on the site (one key tip is it's sometimes in in their photo image name. When a user uploads a profile photo and it's saved, they use the guid as an identifier :D)

Cool, i've found an IDOR.. now what?

Every case of IDOR is different so it'll be hard to create a blueprint of "do this, do that!", so i'll go through my experience and some hurdles i've had to jump to accomplish what I want. Make sure if you do discover an IDOR to assess the impact as some IDOR bugs are as by design and pose no threat.

  1. The optout links contains an encrypted ID

    I see this quite frequently. As explained above I would start thinking, "where could this value possibly be reflected for another user?". When spidering you should search for your own value and identify if it's reflected anywhere.

    An example case of one I found is you could invite a user to join and you'd be their referral. Upon visiting the endpoint /api/ref?user={username}, the server would respond with that users guid. So now all I had to do was grab all users usernames, hit the endpoint to retrieve guid, then visit /api/user?guid={guid_here} to reveal all their account information.

  2. Test mobile apps!

    A lot of people just test web apps and are missing out on tons of juicy stuff on mobile apps. You can easily set Burp up to interact with your phone by setting up the proxy on your phones wifi. You can find tutorials for this on https://support.portswigger.net/

Mobile apps typically use an API (Application Programming Interface) and you can easily start manipulating values in the URL (and check cookies!)

Common bypasses?

I can't really think of many common things to suggest when it comes to "bypassing" an IDOR "filter", since IDOR's are simply chucking anothers user_id and hoping the server responds with something related to another user. All I can suggest is also testing these endpoints for SQL injection aswell and also test for HTTP Parameter pollution.