How I made $$$ on an access control/ IDOR bug in few hours
This article is about how I found an access control and IDOR on a well tested target.
For the one’s who don’t know what an IDOR/Access control is,
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation.
Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested
So the other day, I was testing this application which had two previliges Admin and a normal user. I could see most of the IDOR/Access controls reported in analytics
I tested for XSS , SSRF etc. Couldn’t find any of those, took a break for few hours and got back.
My mindset was like most of bugs has been reported, there isn’t any left.(I know it’s bad to think that way but I felt that way coz of little functionalities it had)
Tip: If you decide to pick a target, always approach it as if you’re newly testing it. I had some instance where I felt this, Many people tested it and couldn’t find any but I did find some on it. (Not saying I’m good at it but meant what you might think might not have been thought by others)
So In case you didn’t know how to check for IDOR/ AC’s, it can be automated easily through a really good Burp plugin called Autorize(there’s AutoMatrix too). What it does is, replace the cookies in each request of the scoped target with the low priv usage and shows the history with content length. Check this for info (https://www.youtube.com/watch?v=3K1-a7dnA60).
As usual had Autorize set up on and running on low priv user cookies and auth token header. Was thoroughly browsing through the entire application as Admin user.
There was instance where I could see a feature where the admin user could query for details of an inventory item through an ID. The autorize showed that the request did get through. Then the prob was how would we obtain the ID coz the ID was something not bruteforceable (ab1cs12-ab12–12a2–121asubdn132 just format not original). I digged a bit more and found an api endpoint where I could get all the ID values which was an IDOR. And I was like
In the case of me not digging or not thinking clearly, the IDOR in itself and access control wouldn’t have had much impact.
So, I quickly made a report as good as possible. They first awarded me with $$$ . Then after 15 days they reached me out and again rewarded $$$ for the IDOR
Thanks a lot for reading. Hope you found some values. Leave your suggestions in comment below.
I’m currently looking for a full time job as Red team/Web application Pentester, please reach me out if you have any .