Hey there, my name is karan sharma. And i’m back with a story of IDOR and why i think you should know about it.
IDORS (Insecure Direct Object Reference)
OWASP says,
Insecure Direct Object Reference (called IDOR from here) occurs when a application exposes a reference to an internal implementation object. Using this way, it reveals the real identifier and format/pattern used of the element in the storage backend side.
So basically if you can CRUD (or any) the objects that doesn’t belongs to you or you lacks permissions to do so otherwise, then it’s an IDOR!
So Now you can find IDORs right?! yeah probably But let me tell you my story first.
Let’s talk about IDOR that i found,
So i was testing a private program, with lots of unique features & functionalities. And after testing for a while, i found couple of stored-xss which i won’t discuss here. And after month or so; I though i should look for IDORS; but at-first couldn’t find any 😞
Then after testing for a while i though of a scenario which goes like this:
Suppose this is the application with lots of Tabs! And in one of them, i can create objects which is further used in creating another type of object;
Also as there are objects, then also must have unique identifiers (ID) also!
I tried IDOR on creating, deleting, updating etc… but noting works!
Now if you can focus on Object X-2's objects, you may see that it’s using objects of Object X-1
What if i change the ID of Object X-1's object that is pointed by Object X-2 object while editing the object of Object X-2 😁
So Objects X-2’s object is now pointing to the Object X-1's object which doesn’t belong to current project!
Well It worked 😸 and i was like
scenario:
Malicious user can read/points to objects that belongs to other projects.
reward: $300
Takeaway:
Don’t just test in basic manners, because it’s already done before like 10000 times. Good Dollars requires good prospective 💰
P. S.
header img is meaningless bascially 😅 But i like Gojo Satoru (character from Jujutsu Kaisen anime) so…yeah.
If i’ve made any mistakes above, hit me here: karansh491
Happy Hunting,
C’ya
