Researcher Tutorials

Insecure Object Reference (IDOR) - Where are they?! by zseano

About the Creator

Me

zseano
 


About Hey! I'm zseano and I run BugBountyNotes. I do bugbounties full time and I managed to reach the top 10 on bugcrowd in just 8months from one program. I am lucky to attend live events by HackerOne and this is what inspired me to create this! :) I specialise in webapp testing and I love helping others. Feel free to reach out
What is an Indirect Object Reference? An example of an IDOR would be to look at the following url: http://api.example.com/api/user/139349. If you can successfully enumerate the userid (in our case 139349) and retrieve another users' details, you'd have yourself a valid IDOR bug. IDORs usually are that simple, changing ids to another and see if it's successful, but sometimes we do run into problems, and where can we actually find them?

Finding IDOR's

Now typically anywhere you see an integer (number) value being used, test it for IDOR (depending on what the feature is of course). However from my experience in hunting for bugs some key places researchers miss are:

  • Opt out links
    These sometimes just contain a userid arguement to opt out, and sometimes reveal the users emails. These can be found in emails they send you so make sure to signup for every newsletters they send!
  • Mobile Apps
    Atleast 60% of my IDOR findings are from mobile apps. Most mobile apps use a simple API system to log the user in, retrieve their information etc. A lot of API's just take a userid parameter that can be enumerated. Look for as many integer values as possible and test what each feature does.
  • Updating account settings, changing password etc.Sometimes when updating your account settings, they'll send your user_id as a parameter. Manipulating this can sometimes result in another users profile being edited. Make sure to keep an eye on cookie values for userids!


Cool, i've found an IDOR.. now what?

So, every case of IDOR is different so it'll be hard to create a list of "do this, do that!", so i'll go through my experience and some hurdles i've had to jump to accomplish what I want.
  • The optout links contains an encrypted ID
    This is pretty common and sometimes you will see something like a guid (c9d18ce3-e58e-4e73-91a2-f614e0312eb1), a numeric userid, or something else. Check for places this may be leaked such as when viewing another users profile (don't forget to also check their mobile app if they have one!), messaging them, when their profile photo is loaded, interacting with them etc.

    An example case of one I found is you could invite a user to join and you'd be their referral. Upon visiting the endpoint /api/ref?user={username}, the server would respond with that users guid. So now all I had to do was grab all users usernames, hit the endpoint to retrieve guid, then visit /api/user?guid={guid_here} to reveal all their account information.

    The key bit of information I can give you here is to keep looking for ways to expose a users id/guid etc.
  • Test mobile apps!
    A lot of people just test web apps and are missing out on TONS of juicy stuff on mobile apps. To setup burp via your phone it's extremely simple but i'll outline here incase you don't know how:

    - Run BURP and click "Proxy" -> "Options" and set interface to *, like so:



    - Grab your computers local ip (run ipconfig on windows cmd and look for your local IPv4 Address) and click to modify your phones wifi and then set the HTTP proxy.



    - The Server is your computers local ip and the port is 8080 (or whichever value it's set to in Burp, as seen in above screenshot). Now visit http://burp/ on your phone to verify and install the https cert.

    - Now your phone is setup to record mobile requests (aslong as they have no SSL pinning, lots of tuts out there for that), start using the app and look for:

    login, logout, optout, update information, view your account information (for example when wanting to update your email/password, the server may sometimes query an endpoint which returns your information), update password, etc.

    Go nuts and use every feature their app offers! :D


Common bypasses

I can't really think of many common things to suggest when it comes to "bypassing" an IDOR "filter", since IDOR's are simply chucking anothers user_id and hoping the server responds with something related to another user. However with that said I will describe two scenarios I had which helped me find IDOR bugs:
  • HPP (HTTP Parameter Pollution)
    Simply try add another &id=idyoucontrol onto the request. So an example: https://www.example.com/add-friend?who=1&who=2. The server may check the first value but actually process the second.
  • Change the request, check for errors!
    This was a weird bug but to update your account information it required a valid hash. Sending a blank hash value would error and actually reveal the hash needed to reveal that users information. More information can be found on this writeup.