IDOR Numeric, Hash, Wildcard and PRNG
This commit is contained in:
Swissky
parent
84569e18e4
commit
485103e9bb
|
|
@ -247,7 +247,7 @@ echo whoami|$0
|
|||
```
|
||||
|
||||
|
||||
### Bypass with $()
|
||||
#### Bypass with $()
|
||||
|
||||
```powershell
|
||||
who$()ami
|
||||
|
|
|
|||
|
|
@ -6,69 +6,123 @@
|
|||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [IDOR Tips](#idor-tips)
|
||||
* [Examples](#examples)
|
||||
* [Labs](#labs)
|
||||
* [Exploit](#exploit)
|
||||
* [Numeric Value Parameter](#numeric-value-parameter)
|
||||
* [Common Identifiers Parameter](#common-identifiers-parameter)
|
||||
* [Weak Pseudo Random Number Generator](#weak-pseudo-random-number-generator)
|
||||
* [Hashed Parameter](#hashed-parameter)
|
||||
* [Wildcard Parameter](#wildcard-parameter)
|
||||
* [IDOR Tips](#idor-tips)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
- [BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
|
||||
- [BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
|
||||
- [BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
For instance, consider a URL like `https://example.com/account?userid=123`. In this case, `123` is a direct object reference to a specific user's account. If the application doesn't properly check that the logged-in user has the right to access the account related to `userid=123`, then any user could potentially change the userid in the URL to access other users' accounts.
|
||||
|
||||
|
||||
|
||||
The value of a parameter is used directly to retrieve a database record.
|
||||
|
||||
```powershell
|
||||
http://foo.bar/somepage?invoice=12345
|
||||
```
|
||||
|
||||
The value of a parameter is used directly to perform an operation in the system
|
||||
|
||||
```powershell
|
||||
http://foo.bar/changepassword?user=someuser
|
||||
```
|
||||
|
||||
The value of a parameter is used directly to retrieve a file system resource
|
||||
|
||||
```powershell
|
||||
http://foo.bar/showImage?img=img00011
|
||||
```
|
||||
|
||||
The value of a parameter is used directly to access application functionality
|
||||
|
||||
```powershell
|
||||
http://foo.bar/accessPage?menuitem=12
|
||||
```
|
||||
|
||||
|
||||
### IDOR Tips
|
||||
|
||||
* Change the HTTP request: POST → PUT
|
||||
* Change the content type: XML → JSON
|
||||
* Increment/decrement numerical values (1,2,3,..)
|
||||
* GUID/UUID might be weak
|
||||
* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
|
||||
|
||||
|
||||
## Examples
|
||||
|
||||
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||
* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
|
||||
- [PortSwigger/BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
|
||||
- [PortSwigger/BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
|
||||
- [PortSwigger/BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger - Insecure direct object references](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
* [PortSwigger - Insecure Direct Object References](https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references)
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
IDOR stands for Insecure Direct Object Reference. It's a type of security vulnerability that arises when an application provides direct access to objects based on user-supplied input. As a result, attackers can bypass authorization and access resources in the system directly, potentially leading to unauthorized information disclosure, modification, or deletion.
|
||||
|
||||
**Example of IDOR**
|
||||
|
||||
Imagine a web application that allows users to view their profile by clicking a link `https://example.com/profile?user_id=123`:
|
||||
|
||||
```php
|
||||
<?php
|
||||
$user_id = $_GET['user_id'];
|
||||
$user_info = get_user_info($user_id);
|
||||
...
|
||||
```
|
||||
|
||||
Here, `user_id=123` is a direct reference to a specific user's profile. If the application doesn't properly check that the logged-in user has the right to view the profile associated with `user_id=123`, an attacker could simply change the `user_id` parameter to view other users' profiles:
|
||||
|
||||
```ps1
|
||||
https://example.com/profile?user_id=124
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
### Numeric Value Parameter
|
||||
|
||||
Increment and decrement these values to access sensitive informations.
|
||||
|
||||
* Decimal value: `287789`, `287790`, `287791`, ...
|
||||
* Hexadecimal: `0x4642d`, `0x4642e`, `0x4642f`, ...
|
||||
* Unix epoch timestamp: `1695574808`, `1695575098`, ...
|
||||
|
||||
**Examples**
|
||||
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||
* [HackerOne - Delete messages via IDOR - naaash](https://hackerone.com/reports/697412)
|
||||
|
||||
### Common Identifiers Parameter
|
||||
|
||||
Some identifiers can be guessed like names and emails, they might grant you access to customer data.
|
||||
|
||||
* Name: `john`, `doe`, `john.doe`, ...
|
||||
* Email: `john.doe@mail.com`
|
||||
* Base64 encoded value: `am9obi5kb2VAbWFpbC5jb20=`
|
||||
|
||||
**Examples**
|
||||
* [HackerOne - Insecure Direct Object Reference (IDOR) - Delete Campaigns - datph4m](https://hackerone.com/reports/1969141)
|
||||
|
||||
|
||||
### Weak Pseudo Random Number Generator
|
||||
|
||||
* UUID/GUID v1 can be predicted if you know the time they were created: `95f6e264-bb00-11ec-8833-00155d01ef00`
|
||||
* MongoDB Object Ids are generated in a predictable manner: `5ae9b90a2c144b9def01ec37`
|
||||
* a 4-byte value representing the seconds since the Unix epoch
|
||||
* a 3-byte machine identifier
|
||||
* a 2-byte process id
|
||||
* a 3-byte counter, starting with a random value
|
||||
|
||||
**Examples**
|
||||
* [HackerOne - IDOR allowing to read another user's token on the Social Media Ads service - a_d_a_m](https://hackerone.com/reports/1464168)
|
||||
* [IDOR through MongoDB Object IDs Prediction](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
|
||||
|
||||
|
||||
### Hashed Parameter
|
||||
|
||||
Sometimes we see websites using hashed values to generate a random user id or token, like `sha1(username)`, `md5(email)`, ...
|
||||
|
||||
* MD5: `098f6bcd4621d373cade4e832627b4f6`
|
||||
* SHA1: `a94a8fe5ccb19ba61c4c0873d391e987982fbbd3`
|
||||
* SHA2: `9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08`
|
||||
|
||||
**Examples**
|
||||
* [IDOR with Predictable HMAC Generation - DiceCTF 2022 - CryptoCat](https://youtu.be/Og5_5tEg6M0)
|
||||
|
||||
|
||||
### Wildcard Parameter
|
||||
|
||||
Send a wilcard instead of an ID, some backend might respond with the data of all the users.
|
||||
|
||||
* `GET /api/users/* HTTP/1.1`
|
||||
* `GET /api/users/% HTTP/1.1`
|
||||
* `GET /api/users/_ HTTP/1.1`
|
||||
* `GET /api/users/. HTTP/1.1`
|
||||
|
||||
|
||||
**Examples**
|
||||
* [TODO]()
|
||||
|
||||
|
||||
### IDOR Tips
|
||||
|
||||
* Change the HTTP request: `POST → PUT`
|
||||
* Change the content type: `XML → JSON`
|
||||
* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
|
||||
* Use Parameter Pollution: `user_id=hacker_id&user_id=victim_id`
|
||||
|
||||
|
||||
## References
|
||||
|
|
@ -76,7 +130,10 @@ http://foo.bar/accessPage?menuitem=12
|
|||
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||
* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
|
||||
* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
|
||||
* [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec
|
||||
* [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
|
||||
* [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)
|
||||
* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
|
||||
* [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
|
||||
* [IDOR - how to predict an identifier? Bug bounty case study - Bug Bounty Reports Explained - ](https://youtu.be/wx5TwS0Dres)
|
||||
* [Testing for IDORs - PortSwigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/access-controls/testing-for-idors)
|
||||
* [Insecure direct object references (IDOR) - PortSwigger](https://portswigger.net/web-security/access-control/idor)
|
||||
* [The Rise of IDOR - HackerOne - April 2nd, 2021](https://www.hackerone.com/company-news/rise-idor)
|
||||
|
|
@ -5,6 +5,8 @@
|
|||
* [GUID / UUID](#guid--uuid)
|
||||
* [GUID Versions](#guid-versions)
|
||||
* [Tools](#tools)
|
||||
* [Mongo ObjectId](#mongo-objectid)
|
||||
* [Tools](#tools)
|
||||
* [References](#references)
|
||||
|
||||
## GUID / UUID
|
||||
|
|
@ -38,6 +40,25 @@ The four-bit M and the 1- to 3-bit N fields code the format of the UUID itself.
|
|||
$ guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
|
||||
```
|
||||
|
||||
## Mongo ObjectId
|
||||
|
||||
Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId value consists of:
|
||||
* **Timestamp** (4 bytes): Represents the ObjectId’s creation time, measured in seconds since the Unix epoch (January 1, 1970).
|
||||
* **Machine Identifier** (3 bytes): Identifies the machine on which the ObjectId was generated. Typically derived from the machine's hostname or IP address, making it predictable for documents created on the same machine.
|
||||
* **Process ID** (2 bytes): Identifies the process that generated the ObjectId. Typically the process ID of the MongoDB server process, making it predictable for documents created by the same process.
|
||||
* **Counter** (3 bytes): A unique counter value that is incremented for each new ObjectId generated. Initialized to a random value when the process starts, but subsequent values are predictable as they are generated in sequence.
|
||||
|
||||
### Tools
|
||||
|
||||
* [andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict) - Predict Mongo ObjectIds
|
||||
```ps1
|
||||
./mongo-objectid-predict 5ae9b90a2c144b9def01ec37
|
||||
5ae9bac82c144b9def01ec39
|
||||
5ae9bacf2c144b9def01ec3a
|
||||
5ae9bada2c144b9def01ec3b
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
|
||||
* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
|
||||
* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
|
||||
Loading…
Reference in New Issue